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1. Forward 

This document is an industry specification that enables trust in computing platforms in general. 

This specification defines a trusted Subsystem that is an integral part of each platform, and provides 
functions that can be used by enhanced operating systems and applications. The Subsystem employs 
cryptographic methods when establishing trust, and while this does not in itself convert a platform into a 
secure computing environment, it is a significant step in that direction. 

Standardization is necessary so that the security and cryptographic community can assess the 
mechanisms involved, and so that customers can understand and tmst the effectiveness of new features. 
Manufacturers will compete in the marketplace by installing Subsystems with varying capabilities and cost 
points. The Subsystem itself will have basic functions that maintain privacy, yet support the identity and 
authentication of entities such as the platform, the user, and other entities. The Subsystem will have other 
capabilities to protect data and verify certain operational aspects of the platform. It can be a separate 
device or devices, or it can be integrated into some existing component or components provided the 
implementation meets the requirements of this specification. This is necessary to achieve the 
fundamental goal of ubiquity. 

Please note a very important distinction between different sections of text throughout this document. 
Beginning in chapter 2. "The Trusted Platform Subsystem," you will encounter two distinctive kinds of text: 
informative comment and nomiative statements. Because most of the text in this specification will be of 
the kind normative statements, the authors have informally defined it as the default and, as such, have 
specifically called out text of the kind informative comment. They have done this by flagging the beginning 
and end of each informative comment and highlighting its text in gray. This means that unless text is 
specifically marked as of the kind informative comment, you can consider it of the kind normative 
statements. 

The key words "MUST," "MUST NOT," "REQUIRED," "SHALL." "SHALL NOT," "SHOULD." "SHOULD 
NOT." "RECOMMENDED," "MAY," and "OPTIONAL" in the chapters 2-10 nomiatlve statements are to be 
interpreted as described in [RFC-21 19]. 



For example: 




This is the first paragraph of one or more paragraphs (and/or sections) containing the text of the kind 

normative statements ... 

To understand the TCG specification the user MUST read the specification. (This use of MUST indicates 
a keyword usage and requires an action). 
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2. The Trusted Platform Subsystem 
2.1 Introduction 




2.2 Roots of Trust 
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2.2.1 Definitions 

Root of Trust for Measurement (RTM) 

The point from which all trust in the measurement process is predicated. The RTM contains many 
components to provide this level of trust. The design document shows that the RTM includes a core 
component, the computing engine to run the core component, physical connections of the core and the 
computing engine and other items. 

Core Root of Trust for Measurement (CRTM) 

The component of the RTM from which the platfonm begins execution of its trusted state. 
Root of Trust for Reporting (RTR) 

The point from which all tmst in reporting of measured information is predicated. 
Root of Trust for Storing (RTS) 

The point from which all trust in Protected Storage is predicated. 

2.2.2 Instantiations and Trust Bindings 
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TPM contents 



Asymmetric key generation 



Asymmetric encryption co-processor 



Computing engine 



Hmac 



Power detection 



Hash 



RNG 



TPM-owner memory 



entity-owner memory 



Nonce 
Auth handle 
Digest 

Ephemeral secret 



Nonce 
Auth handle 
Digest 

Ephemeral secret 



memory 



PCRs (DWORDs) 



Parent key (2048b) 
ChUd key (2048b) 
Scratch pad 



PlatformCoiifigurationRegisterO 



PlatformConfigurationRegister? 



Non-volatile memory 



Keys 

Private endorsement (2048b) 
StorageRootKey (2048b) 
Maintenance (2048b) 
TPME-identity-key (2048b) 

Authorisation (160b> 
Owner 

Flags 

KillMaintenance 

DisableOwnerReset 

TPMStaticDisable 

RNG-state-register (variable) 
Data-integrity-register (DWORD) 
MAC-secret (variable) 

Programs (variable, large) 



A Trusted Platfonm SHALL include the following: 

• at least one root of trust for measuring integrity metrics, 

• exactly one root of trust for storing and reporting integrity metrics, 

• at least one Trusted Platform Measurement Store, 

• at least one TCG Validation Data, and 

• exactly one Trusted Platform Agent. 



The Endorsement Key is transitively bound to the Platform via the TPM as follows: 

1 . An Endorsement Key is bound to one and only one TPM (i.e.. there is a one to one correspondence 
between an Endorsement Key and a TPM.) 

2. A TPM is bound to one and only one Platform, (i.e.. there is a one to one correspondence between a 
TPM and a Platform.) 

3. Therefore, an Endorsement Key is bound to a Platform, (i.e., there is a one to one correspondence 
between an Endorsement Key and a Platform.) 

An Instantiation of the root of trust for measuring integrity metrics, while acting as the root of trust for 
measuring integrity metrics, SHALL do the following: 

• execute no programs other than those intended by the entity that vouches for the root of trust for 
measuring Integrity metrics, 

• be resistant to the forms of software attack and to the forms of physical attack implied by the 
platform's Protection Profile, 

• accurately measure at least one Integrity metric that indicates the soflwar* environment of a platform, 
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• accurately record measured integrity metrics to a root of trust for storing and reporting integrity 
metrics, and 

• accurately record details of the process of measuring all Its Integrity metrics to a Trusted Platform 
Measurement Store. 

An instantiation of the root of trust for storing and reporting integrity metrics SHALL do the following: 

• be resistant to all fomis of software attack and to the fonrns of physical attack implied by the platform's 
Protection Profile. 

• accept recording of measured integrity metrics, and 

• supply an accurate digest of all sequences of presented integrity metrics. 

An instantiation of a Trusted Platfomn Measurement Store SHOULD do the following: 

• accurately accept, store and supply details of at least one process of measuring an integrity metric. 

An instantiation of the repository for TCG Validation Data SHOULD do the following: 

• accurately store and supply a predicted value of at least one integrity metric. 

An instantiation of the Trusted Platfomri Agent SHOULD do the following: 

• obtain and supply an accurate report from the root of trust for storing and reporting integrity metrics of 
at least one sequence of integrity metrics in a fonm that prevents misrepresentation of that sequence 
or its source, 

• obtain and supply an accurate report from a Trusted Platform Measurement Store of at least one set 
of details describing the measurement of an integrity metric, and 

• obtain and supply an accurate report from the repository for TCG Validation Data of at least one 
predicted value of an integrity metric 

2.3 Integrity Operations 
2.3.1 Storage of Integrity IMetrlcs 
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integrity metrics that are presented to a TPM SHALL be stored inside that TPM in a way that prevents 
misrepresentation of the presented values or of the sequence in which they were presented. 

2.3.2 Reporting of Integrity A/letrics 
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Sequences of integrity metrics reported by the TPM SHALL be reported by that TPM in a way that 
prevents misrepresentation of the sequences and prevents misrepresentation of the reporting TPM 



2.4 Use of Keys Associated with TPM Identities 




It MUST be possible to reliably distinguish between the private key of a TPM identity and other keys. 



A key that Is distinguished as the private key of a TPM Identity SHALL NOT be used to generate a digital 
signature value over data that could mimic the output of a TCG protected capability. 

A TPM SHALL NOT use a key that is distinguished as the private key of a TPM identity except during the 
part of a TCG "protected capability" whose specification permits and/or requires the use of a TPM identity. 

When signing on behalf of a TPM identity during the part of a TCG protected capability whose 
specification requires the signature of a TPM identity, a TPM SHALL NOT use a key other than one that 
is distinguished as the private key of a TPM identity. 



2.5 Cryptographic Operations 
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2.6 Opting to use a TPM 
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End of informative comment 



2.6.1 Enabling Ownership 




2.6.2 Activating a TPIM 
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2.7 Protected, Unprotect d, and C nnection Op rati ns 




No operation outside the TPM SHALL affect the security of the TPM. only the ability of the TPM to 
operate. TCG Operations are classified as: 



Protected Operations 
Unprotected Operations 
Connection Operations 



Operations affecting the security properties of TCG. These are 
TPM Operations. These begin with TPM_ 
Operations supporting the protected operations. These are 
normally implemented outside the TPM. This begin with TSS_ 

Operations affecting the connection of the platfomn to the TPM. 
These are typically defined in the Platfonm Specific 
specifications. These begin with TSC_. 



Version 1.1a 1 Set nriber2001 



Page 1 4 

TCG Main Specification 



3. Protection 
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For the purposes of the "Protection" section of the specification: the threats that MUST be ronsidered 
when detemSning whether the platform facilitates subversion of TCG-protected capab'l;t.es or data in 
TCG-shtSd Stions SHALL include the methods inherent in physical attacks that should fail if the 
SS,rm1ompne?S^^ profile, and SHALL include all methods that require execution of 

instructions in a computing engine in the platfonn. 



3.3 Integrity 




A platfonn SHALL NOT facilitate the alteration of TCG-protected capabilities or data in TCG-shtelded 
locations, except by TCG-protected capabilities. 

3.4 Privileged Access 




A platform SHALL NOT facilitate the disclosure or the exposure of data in TCG-shielded locations, except 
to TCG-protected capabilities. 

3.5 Side effects 




The Implementation of a TCG-protected capability in a platfom. SHALL NOT facilitate the disclosure or 
the exposure of data in TCG-shielded locations except by means unavoidably inherent in the TCG 
definition. 
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4. Structures and D fin s 




4.1 .1 Endness of Structures 

appear to the far left. ^ 

4.1.2 Byte Packing 

All structures MUST be packed on a byte boundary. 

4.1.3 Lengths 

The "Byte" is the unit of length when the length of a parameter is specified. 
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4.2 Defin s 




4.2.1 Basic data types 



Typedef 


Name 


Description 


unsigned char 


BYTE 


Basic byte used to transmit all character fields. 


unsigned char 


BOOL 


TRUE/FALSE field. TRUE = 0x01 . FALSE = 0x00 


unsigned short 


UINT16 


16 bit field. The definition in different architectures may 
need to specify 16 bits instead of the short definition 


unsigned long 


UINT32 


32 bit field. The definition in different architectures may 
need to specify 32 bits instead of the long definition 



4.2.2 Boolean types 



Name 


Value 


Description 


TRUE 


0x01 


Assertion 


FALSE 


0x00 


Contradiction 



4.2.3 Helper redefinitions 

The following definitions are to make the IDL definitions more explicit and easier to read. 
Parameters 



Typedef 


Name 


Description 


UINT32 


TCG_PCRINDEX 


Index to a PGR register 


UINT32 


TCG_DIRINDEX 


Index to a DIR register 


UINT32 


TCG_AUTHHANDLE 


Handle to an authorization session 


UINT32 


TSS_HASHHANDLE 


Handle to a hash session 


UINT32 


TS S_HMAC HHANDLE 


Handle to a HMAC session 


UINT32 


TCG_ENCHANDLE 


Handle to a encryption/decryption session 


UINT32 


TCG_KEy_HANDLE 


The area where a key is held assigned by the TPM. 


UINT32 


TCG_RESULT 


The return code from a function 
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4.2.4 Enum rated Helper redefiniti ns 



Tvpedef 


Name 


Description 


UINT32 


TCG_COMMAND_CODE 


The command ordinal. See 4.33 


UINT16 


TCG_PROTOCOL_I D 


The protocol in use. See 4.17 


UINT32 


TCG_EVENTTYPE 


Type of PGR event. See 4.25.2 


BYTE 


TCG_AUTH_DATA_USAGE 


Indicates the conditions where It is required that 
authorization be presented. See 4.1 1 


UNIT16 


TCG_ENTITY_TYPE 


Indicates the types of entity that are supported by the 
TPM. See 4.15 


UNIT32 


TCG_ALGORITHM_ID 


Indicates the type of algorithm. See 4.18 


UNIT16 


TCG_KEY_USAGE 


Indicates the permitted usage of the key. See 4.10 


UINT16 


TCG_STARTUP_TYPE 


Indicates the start state. See 4.16 


UINT32 


TCG_CAPAB I L I T Y_ARE A 


Identifies a TPM capability area. See 4.31 


UINT16 


TCG_ENC_SCHEME 


The definition of the encryption scheme. See 8.4 


UINT16 


TCG_SIG_SCHEME 


The definition of the signature scheme. See 8.5 


UINT16 


TCG_MIGRATE__SCHEME 


The definition of the migration scheme 4.22 


UINT16 


TCG_PHYS ICAL_PRESENCE 


Sets the state of the physical presence mechanism. See 
section 4.19 


UINT32 


TCG_KEY_FLAGS 


Indicates information regarding a key. See 4.12 
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4.2.5 Vendor specific 




The following defines allow for the quick specification of a vendor specific item. 
Parameters 



Name 


Value 


TCG Vendor Specifics 2 


0x00000400 


TCG Vendor Specifics 


0x80 
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4.3 Return cod s 




Description 



When a command falls for ANY reason, the TPM MUST retum only the following three items: 

• TPM_TAG_RQU_COMMAND (2 bytes) 

• ParamLength(4 bytes, fixed at 10) 

• Retum Code (4 bytes, never TCG_SUCCESS) 

When a capability has failed to complete successfully, the TPM MUST retum a legal en-or code. 
Otherwise the TPM SHOULD return TCG_SUCCESS. If a TPM retums an en-or code after executing a 
capability, it SHOULD be the error code specified by the capability or another legal en-or code that is 
appropriate to the error condition 

A fatal failure SHALL cause termination of the associated authorization session. A non-fatal failure 
SHALL NOT cause temnination of the associated authorization session. 

The retum code MUST be chosen firom the following lists. 

Mask Parameters 



Name 


Value 


Description 


TCG_BASE 


0x0 


The start of TCG retum codes 


TCG_SUCCESS 


TCG_BASE 


Successful completion of the operation 


TCG_VENDOR_ERROR 


TCG_Vendor_Specific32 


Mask to indicate that the error code is vendor 
specific for vendor specific commands. 


TCG_NON_FATAL 


0x00000800 


Mask to indicate that the error code is a non- 
fatal failure. 



TCG-defined fatal error codes 



Name 


Value 


Description 


TCG_AUTHFAIL 


TCG_BASE + 1 


Authentication failed 


TCG_BADINDEX 


TCG_BASE + 2 


The index to a PCR, DIR or other register is 
incorrect 
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TCG BAD_rARAMETJliK 




Onp nr mnrp oarameter Is bad 


TCG AUDITFAIliURi:* 




An oneration comoieted successfullv but the 
auditing of that operation failed. 


TCG_CLEAR_DISABLED 


TCG^BASE + 5 


The clear disable flag is set and all clear 
operations now require physical access 


TCG_DEACT IVATED 


TCG_BASE + 6 


The TPM is deactivated 


TCG_DISABLED 


TCG_BASE + 7 


The TPM is disabled 


TCG_D I SAB LE D_CMD 


TCG_BASE + 8 


The target command has been disabled 


TCG_FAIL 


TCG_BASE + 9 


The operation failed 


TCG_BAD_ORDINAL 


TCG_BASE +10 


The ordinal was unknown or inconsistent 


TCG_INSTALL_DISABLED 


TCG_BASE +11 


The ability to install an owner is disabled 


TCG_INVAL I D_KEy HANDLE 


TCG_BASE +12 


The key handle presented was invalid 


TCG_KEYNOTFOUND 


TCG_BASE +13 


The target key was not found 


TCG_rNAPPROPRIATE_ENC 


TCG_BASE +14 


Unacceptable encryption scheme 


TCG__MIGRATEFAIL 


TCG_BASE +15 


Migration authorization failed 


TCG INVALID_PCR_INFO 


TCG__dASE + lb 


D/^D informotion r*rtiilH nnt hpt intprarstsd 

r^Oix iriTUr 1 1 laUwl 1 OUUIU liui w» iiiroipi^iow 


TCG_NO SPACE 


TCG BAb£ + 1 / 


iHO room uj luau ivcsy. 


TCG_NOSRK 


TCG_BASE +18 


There is no SRK set 


TCG_NOTSEALED_BLOB 


TCG_BASE +19 


An encrypted blob is invalid or was not created 
by this TPM 


TCG_OWNER_SET 


TCG_BASE +20 


There is already an Owner 


TCG_RESOURCES 


TCG_BASE +21 


The TPM has insufficient internal resources to 
perform the requested action. 


TCG_S HORT RANDOM 


TCG_BASE +22 


A random string was too short 


TCG_SIZE 


TCG_BASE +23 


The TPM does not have the space to perform 
the operation. 


TCG_WRONGPCRVAL 


TCG_BASE +24 


The named PGR value does not match the 
current PGR value. 


TCG_BAD_PARAM_S I ZE 


TCG_BASE +25 


The paramSize argument to the command has 

the incorrect value 


T CG_S H A_T HRE AD 


TCG_BASE +26 


There Is no existing SHA-1 thread. 


TCG_SHA_ERROR 


TCG__BASE + 27 


The calculation is unable to proceed because 
the existing SHA-1 thread has already 
encountered an error. 


TCG_FAILEDSELFTEST 


TCG_BASE +28 


Self-test has failed and the TPM has shutdown. 


TCG_AUTH2FAIL 


TCG_BASE +29 


The authorization for the second key in a 2 key 
function failed authorization 


TCG_BADTAG 


TCG_BASE +30 


The tag value sent to for a command is invalid 


TCG lOERROR 


TCG BASE +31 


An lO error occurred transmitting information to 
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the TPM 


T CG__ENC RY PT_ERROR 


TCG_BASE +32 


The encryption process had a problem. 






The decryption process did not complete. 


TCG_INVALID_AUTHHANDLE 


TCG_BASE +34 


An invaiid handle was used. 


TCG_NO_ENDORSEMENT 


TCG_BASE +35 


The TPM does not a EK installed 


TCG_INVALID_KEYUSAGE 


TCG_BASE +36 


The usage of a key is not allowed 


TCG_WRONG_ENTITYTYPE 


TCG_BASE +37 


The submitted entity type is not allowed 


TCG_INVALID_POSTINIT 


TCG__BASE + 38 


The command was received in the wrong 
sequence relative to TPMJnit and a 
subsequent TPM_Startup 


TCG_INAPPROPRIATE_SIG 


TCG_BASE +39 


Signed data cannot include additional DER 

information 


TCG_BAD_KEY_PROPERTY 


TCG_BASE +40 


The key properties in TCG_KEY_PARMs are 
not supported by this TPM 


TCG_BAD__MIGRATION 


TCG_BASE +41 


The migration properties of this key are 
incorrect. 


TCG_BAD_SCHEME 


TCG_BASE +42 


The signature or encryption scheme for this key 
Is incorrect or not permitted in this situation. 


TCG BAD DAT AS I ZE 


TCG BASE + 43 


~rhlA 0170 nf frha Hstsi /nr KlnK\ naromofAr ie Korl 

or inconsistent with the referenced key 


TCG__BAD MODE 


TCG BASE + 44 


subCapArea for TPM_GetCapability, 
phsicalPresence parameter for 
TPM_PhysicalPresence, or 
migrationType for TPM_CreateMigrationBlob. 


TCG_BAD_PRESENCE 


TCG_BASE +45 


Either the physicalPresence or 
physicalPresenceLock bits have the wrong 
value 


TCG_BAD_VERS ION 


TCG_BASE +46 


The TPM cannot perform this version of the 
capability 


TCG-defined non-fetal errors 


Name 


Value 


Description 


TCG_RETRY 


TCG_BASE + 
TCG_NON_FATAL 


The TPM is too busy to respond to the 
command immediately, but the command could 
be resubmitted at a later time 
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4.4 Command Specification Table Description 

4.4.1 Introduction, Definition of Terms 

• The parameter order column (PARAM) lists the order in which the parameters must be added to the 
input or output array and their respective size. If this entry in the column is blank, then that parameter 
is not sent to the TPM driver. 

• <> in size column means that the size of the element is defined by the appropriate input parameter 
(sIzelnData controls inData). Where an explicit input 'size' parameter exists, it has been moved to 
immediately precede the array to which it refers so that there is no confusion. 

• When a null temninated string is included in a calculation, the terminating null SHALL NOT be 
included in the calculation. 

• The following rules concerning byte ordering within a parameter are consistent with Section 4.1 and 
follow Internet standards: 

1 . Elements of a structure are marshaled In the order in which they appear in the document. 

2. Byte arrays are marshaled starting with index 0. followed by index 1 , and so on. 

3. Integer types are marshaled most significant byte first. 

4. No padding bytes are to be inserted at any point. 

5. Bit ordering within the byte Is determined by the 10 channel in use. 

• Parameters are marshaled into the input or output arrays according to the following order: 

1 . Tag specifier 

2. Array length, including tag and length specifier bytes 

3. Command ordinal and/or return code 

4. Key handles 

5. Remaining fixed length parameters 

6. Remaining variable length parameters (with their size parameter) 

7. If applicable. First authorization setup (authHandle - input only, then nonce» then 
contlnueUse) 

8. If applicable, First Authorization digest 

9. If applicable, Second authorization setup 

10. If applicable, Second authorization digest 

4.4.2 HMAC Calculation for Authorization 

• All authorized parameters other than the authorization setup parameters (authHandle, nonces and 
contlnueUse) are hashed using SHA-1. This digest, refen-ed to as <paramDigest> throughout this 
document, is HMAC'd with the authorization setup parameters to form the authorization digest. 

• Where there are two authorization sessions within a single command (changeAuth, etc.) the two 
HMACs are computed using the common <paramDigest> but their respective setup parameters only. 

1. AuthDigestI = HMAC( <paramDlgest>, EvenNoncel, OddNoncel , continueUsel ) 

2. AuthDigest2 = HMAC( <paramDigest>, EvenNonce2, OddNonce2, continueUse2) 

• The comment after the HMAC authorization digest includes the source of the HMAC key for the 
digest. If the authorization session is of type OSAP. then the actual key is the sharedSecret that was 
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derived from the secret listed in the comment. For OIAP sessions, the HMAC key is the listed secret 
directly. 

• In the tables below, the order of computation of the SHA1 hash and HMACs are shown in the HMAC 
column. The subscript *S' refers to parameters that are hashed together using SHA1 to fonm 
<paramDigest>. The subscripts 'HV & 'H2' refer to parameters that are HMAC'd to fonm the first and 
second authorization digests. 

• Note that as the first element to the HMAC calculation Is <paramDigest>, HMAC element numbers 
start with 2 in all cases below. 

• In all cases, both Input and output, the HMAC calculation uses the following order: 

1 . <paramDigest> 

2. Even nonce (generated by TPM) 

3. Odd nonce (generated by system) 

4. ContinueUse 



4.4.3 Parameter List Tag Identifiers 



Tag 


Name 


Description 


0x0001 


TPM TAG RQU COMMAND 


A command with no authentication. 


0x0002 


TPM_TAG_RQU_AUTH1_C0MMAND 


An authenticated command with one 
authentication handle 


0x0003 


TPM_TAG_RQU_AUTH2_COMMAND 


An authenticated command with two 
authentication handles 


0x0004 


TPM_TAG_RSP_COMMAND 


A response from a command with no 
authentication 


0x0005 


TPM_TAG_RSP_AUTH1_COMMAND 


An authenticated response with one 
authentication handle 


0x0006 


TPM_TAG_RSP_AUTH2_COMMAND 


An authenticated response with two 
authentication handles 
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4.5 TCG VERSION 




IDL Definition 

typedef struct tdTCG_VERSION { 

BYTE major; 

BYTE minor; 

BYTE revMajor; 

BYTE revMinor; 
} TCG VERSION; 



Parameters 



Type 


Name 


Description 


BYTE 


major 


This SHALL be the major version indicator. For version 1 this MUST be 0x01 


BYTE 


minor 


This SHALL be the minor version indicator. For version 1 this MUST be 0x01 


BYTE 


revMa j or 


This SHALL be the value of the TCG_PERSISTENT_DATA -> revMajor 


BYTE 


revMinor 


This SHALL be the value of the TCG_PERSISTENT_DATA -> revMinor 



Descriptions 

The version points to the version of the specification that defines the structure. 

If a command submitted to a TPM includes a completed TCG_VERSION field, the TPM SHALL inspect 
the major and minor fields of the TCG_VERSION structure. If the capability indicated by the command 
ordinal is not designed to perform the version of the capability indicated by those major and minor fields, 
the TPM SHALL retum the en-or code TCG_BAD_VERSION 

If the validity of a structure depends on conformity to a version of the specification and/or to a version of 
the TPM, that structure SHALL include the cunrent instance of TCG^VERSION 
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4.6 TCG DIGEST 




Definition 

typedef struct tdTCG_DIGEST{ 
BYTE digest [digestSize] ; ' 
} TCG_DIGEST; 

Parameters 



Type 


Name 


Description 


BYTE 


digest 


This SHALL be the actual digest information 



Description 

The digestSize parameter MUST indicate the block size of the algorithm and MUST be 20 or greater. 

For all TCG v1 
therefore equal 

Redefinitions 



hash operations, the hash algorithm MUST be SHA-1 and the digestSize parameter is 
to 20. 



Typedef 


Name 


Description 


TCG_DIGEST 


TCG_PCRVALUE 


The value inside of the PGR 


TCG_DIGEST 


TCG_COMPOS ITE__HASH 


This SHALL be the hash of a list of PGR indexes 
and PGR values that a key or data is bound to (See 
10.4.5 for details) 


TCG_DIGEST 


TCG_D I RVALUE 


This SHALL be the value of a DIR register 


TCG_DIGEST 


TCG_HMAC 




TCG_DIGEST 


TCG_CHGSENID_HASH 


This SHALL be the digest of the chosen 
identityLabel and privacyCA for a new TPM identity. 
See 10.4.6 for details. 
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4.7 TCG NONCE 




Definition 

typedef struct tdTCG_NONCE{ 
BYTE nonce [20] ; 
} TCG_NONCE; 



Parameters 



Type 


Name 


Description 


BYTE 


nonce 


This SHALL be the 20 bytes of random data. When created by the TPM 
the value MUST be the next 20 bytes from the RNG. 
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4.8 TCG AUTHDATA 




Definition 



typedef BYTE tdTCG_AUTHDATA[20]; 

Parameters 

None. 

Descriptions 

When sending authorization data to the TPM the TPM does not validate the decryption of the data. It is 
the responsibility of the entity owner to validate that the authorization data was property received by the 
TPM. This could be done by immediately attempting to open an authorization session. 

The owner of the data can select any value for the data 

Redefinitions 



Typedef 


Name 


Description 


TCG_AUTHDATA 


TCG_SECRET 


A secret plaintext value used in the authorization process. 


TCG_AUTHDATA 


TCG_ENCAUTH 


A ciphertext (encrypted) version of authorization data. The 
encryption mechanism depends on the context. 
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4.9 TCG KEY^HANDLE^LIST 




IDL Definition 

typedef struct tdTCG_KEY_HANDLE_LIST { 
UINT16 loaded; 

[size_is (loaded) ] TCG_KEY_HANDLE handle [] ; 
} TCG_KEY_HANDLE_LIST; 



Parameters 



Type 


Name 


Description 


UINT16 


loaded 


The number of keys cun-entiy loaded in the TPM. 


UINT32 


handle 


An array of handles, one for each key cun-ently loaded in the TPM 



Description 

The order in which keys are reported is manufacturer-specific. 
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4.10 TCG KEY USAGE values 




Name 


Value 


Description 


TPM_KEY_SIGNING 


0x0010 


This SHALL indicate a signing key. The [pnvate] key SHALL be 
used for signing operations, only. This means that it MUST be a 
leaf of the Protected Storage key hierarchy. 


T PM_KE Y_STORAGE 


0x0011 


This SHALL indicate a storage key. The key SHALL be used to 
wrap and unwrap other keys in the Protected Storage hierarchy, 
only. 


TPM_KEy_IDENTITY 


0x0012 


This SHALL indicate an identity key. The key SHALL be used for 
operations that require a TPM identity, only. 


T PM_KEy_AUTHCHANGE 


0X0013 


This SHALL indicate an ephemeral key that Is in use dunng the 
ChangeAuthAsym process, only. 


TPM_KEY_BIND 


0x0014 


This SHALL Indicate a key that can be used for TPM_Bind and 
TPM_Unblnd operations only. 


TPM_KEY_LEGACy 


0x0015 


This SHALL Indicate a key that can perform signing and binding 
operations. The key MAY be used for both signing and binding 
operations. The TPM_KEY_LEGACY key type Is to allow for use 
by applications where both signing and encryption operations 
occur with the same key. The use of this key type is deprecated. 
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4.10.1 Mandatory Key Usage Schemes 




The key usage value for a key determines the encryption and / or signature schemes which MUST be 
used with that key. The table below maps the schemes defined by this specification to the defined key 
usage values. See sections 8.4 and 8.5. 



Name 


Allowed Encryption schemes 


Allowed Signature Schemes 


TPM_KEY_SIGNING 


TCG_ES_NONE 


TCG_SS_RSASSAPKCS1 v1 5_SHA1 
fCG_SS_RSASSAPCKS1V15_DER 


TPM_KEY_STORAGE 


TCG_ES_RSAESOAEP_SHA1_MGF1 


TCG_SS_NONE 


T PM_KE Y_I DENT I T Y 


TCG_,ES_NONE 


TCG_SS_RSASSAPKCS1 v1 5_SHA1 


TPM_KEY_AUTHCHANGE 


TCG_ES_RSAESOAEP_SHA1_MGF1 


TCG_SS_NONE 


TPM_KEY_BIND 


TCG_ES_RSAESOAEP_SHA1.MGF1 
TCG_ES_RSAESPKCSV1 5 


TCG_SS_NONE 


TPM_KEY_LEGACY 


TCG_ES_RSAESOAEP_SHA1_MGF1 
TCG_ES_RSAESPKCSV15 


TCG_SS_RSASSAPKCS1v15_SHA1 
TCG_SS_RSASSAPKCS1V15_DER 



Where manufacturer specific schemes are used, the strength must be at least that listed in the above 
table for TPM_KEY_STORAGE. TPM_KEY_IDENTITY and TPM_KEY_AUTHCHANGE key types. 
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4.11 TCG AUTH DATA USAGE valu s 




Name 


Value 


Description 


TPM_AUTH_NEVER 


0x00 


This SHALL indicate that usage of the key without authorization is 
pennitted. 


T PM_AUT H_ALWA Y S 


0x01 


This SIHALL indicate that on each usage of the key the 
authorization MUST be perfonned. 






All other values are reserved for future use. 
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4.12 TCG^KEY^FLAGS 




TCG KEY FLAGS Values 



Name 


Mask Value 


Description 


redirection 


0x00000001 


This mask value SHALL indicate the use of redirected output. 


migratable 


0x00000002 


This masic value SHALL indicate that the key is migratable. 


volatileKey 


0x00000004 


This mask value SHALL indicate that the key MUST be unloaded 
upon execution of the TPMJnit/TPM_Startup sequence. 



The value of TCG_KEY_FLAGS MUST be decomposed into Individual mask values. The presence of a 
mask value SHALL have the effect described in the above table 
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4.13 Flags and persistent data structures 
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4.13.1 TCG persistent data 




IDL Definition 



typedef struct tdTCG_PERSISTENT_DATA{ 

BYTE revMajor; 

BYTE revMinor; 

TCG__NONCE tpmProof ; 

TCG_PUBKEY manuMaintPub; 

TCG_KEY endorsementKey; 

TCG_SECRET ownerAuth; 

TCG_KEY srk; 

TCG_D I RVALUE * di r ; 

BYTE* rngState; 

BYTE ordinalAuditStatus; 
} TCG_PERS ISTENT_DATA; 

Type 

These data exist in TPM shielded-locations. only, and SHALL be non-volatile. Other TCG data MAY be 
persistent, except when specifically prohibited (by an IsVolatile flag, for example). 

Description 



Types of Persistent Data 



Type 


Name 


Description 


BYTE 


revMajor 


This is the TPM major revision Indicator. This SHALL be 
set by the TPME, only. The default value is 
manufacturer-specific. 


BYTE 


revMinor 


This is the TPM minor revision indicator. This SHALL be 
set by the TPME, only. The default value is 
manufacturer-specific. 


TCG.NONCE 


tpmProof 


This is a random number that each TPM maintains to 
validate blobs in the SEAL and other processes. The 
default value is manufacturer-specific. 


TCG.PUBKEY 


manuMaintPub 


This is the manufacturer's public key to use in the 
maintenance operations. The default value is 
manufacturer-specific. 


TCG^KEY 


endorsementKey 


This is the TPM's endorsement key pair. See 9.2. The 
default value is manu^cturer-specific. 


TCG.SECRET 


ownerAuth 


This Is the TPM-Owner's authorization data. See 5.11.1. 
The default value is manufacturer-specific. 


TCG^KEY 


srk 


This is the TPM's StorageRootKey. See 5.11.1. The 
default value is manu^cturer-specific. 


TCG.DIRVALUE* 


dir 


These are the Datalntegrity Registers. There MUST be 
at least one DIR. See. for example, 6.3.4. The default 
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value of a DIR is zero. 


BYTE* 


rngState 


State information describing the randonn number 
generator. The default state and subsequent states are 
described In 10.5. 


BYTEfl 


ordinalAuditStat 
us 


Table indicating which ordinals are being audited. See 
section 8.12 
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4.13.2 TCG PERSISTENT^FLAGS Structure 




typedef struct tdTCG_PERSISTENT_FLAGS { 

BOOL disable ; 

BOOL ownership; 

BOOL deactivated; 

BOOL readPubek; 

BOOL disableOwnerClear; 

BOOL allowMaintenance; 

BOOL physicalPresenceLif etimeLock; 

BOOL physicalPresenceHWEnable; 

BOOL physicalPresenceCMDEnable; 

BOOL CEKPUsed; 

BOOL TPMpost; 

BOOL TPMpost Lock; 
} TCG_PERSISTENT_FLAGS; 

Type 

TPM shielded location: These flags exist only in a TPM shielded-location and SHALL be non-volatile. 
Other flags MAY be persistent, except when specifically prohibited. 



Parameters 



Type 


Name 


Description 


BOOL 


disable 


The state of the disable flag. See 8.14. The default state is 
TRUE 


BOOL 


ownership 


The ability to install an owner. See 8.12.5. The default state 
is TRUE. 


BOOL 


deactivated 


The state of the inactive flag. See 8.15. The default state is 
TRUE. 


BOOL 


readPubek 


The ability to read the PUBEK without owner authorization. 
See 9.2.2. The default state is TRUE. 


BOOL 


disableOwnerClear 


Whether the owner authorized clear commands are active. 
See 8.10.6. The default state is FALSE. 


BOOL 


allowMaintenance 


Whether the TPM Owner may create a maintenance 
archive. See 7.3.1. The default state is TRUE. 


BOOL 


physicalPresenceLif etim 
eLock 


This bit can only be set to TRUE; it cannot be set to FALSE 
except durina the manufacturina process. 
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except during the manufacturing process. 

FALSE: The state of either physicalPresenceHWEnable or 
physicalPresenceCMDEnable MAY be changed. 
(DEFAULT) 

TRUE: The state of either physicalPresenceHWEnable or 
pnysicair^r6S6nc6L/iViLJ tn3ui6 muo i invj i d6 (jnanyuu lur 
the life of the TPM. 


BOOL 


physicalPresenceHWEnabl 
e 


FALSE: Disable the hardware signal indicating physical 
presence. (DEFAULT) 

TRUE: Enables the hardware signal indicating physical 
presence. 


BOOL 


physicalPresenceCMDEnab 
le 


FALSE: Disable the command indicating physical presence. 
(DEFAULT) 

TRUE: Enables the command indicating physical presence. 


BOOL 


CEKPUsed 


TRUE: The PRIVEK and PUBEK were created using 
TPM_CreateEndorsementKeyPair. 

FALSE: The PRIVEK and PUBEK were created using a 
manufacturers process. 

NOTE: This flag has no default value as the key pair MUST 
be created by one or the other mechanism. 


BOOL 


TPMpost 


TRUE: the TPM MUST successfully complete 
TPM_SelfTestFull before permitting execution of any 
command 

The default state is FALSE 


BOOL 


TPMpostLock 


FALSE: The state of TPMpost MAY be changed. 
(DEFAULT) 

TRUE: The state of TPMpost MUST NOT be changed. 



Description 

The data structure TCG_PERSISTENT_FLAGS SHALL exist In a TPM shielded-location, only, and 
SHALL be non-volatile. 

The physicalPresenceHWEnable and physicalPresenceCMDEnable flags MUST mask their respective 
signals before further processing. The hardware signal, if enabled by the physicalPresenceHWEnable 
flag, MUST be logically ORed with the PhysicalPresence flag, if enabled, to obtain the final physical 
presence value used to allow or disallow local commands. 

Actions 

1. Disable flag 

a. If disable has the value of TRUE the following commands will execute with their normal 
protections 

i. TPM^Reset 

ii. TPMJnit 

ill. TPM_Startup 
iv. TPM SaveState 
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V. TPM_SHA1 Start 

vi. TPM_SHA1 Update 

vii. TPM_SHA1 Complete 

vlii. TPM_SHA1CompleteExtend 
ix. TSC_PhysicalPresence 
X. TPM^OIAP 
xi. TPM_OSAP 
xli. TPM_GetCapability 

xiii. TPM^Extend 

xiv. TPM_OwnerSetDisabIe 
XV. TPM_PhysicalEnable 
xvi. TPM_ContinueSelfrest 
xvli. TPM_SelfTestFu!l 
xviii. TPM_GetTestResult 

xix. TPM_TermlnateHandle 
b. All other commands SHALL return TCG_DISABLED. 

2. Ownership flag 

a. If ownership has the value of FALSE, then any attempt to install an owner fails with the error 
value TCGJNSTALL_DISABLED. 

3. Deactivated flag 

a. This flag does not directly cause capabilities to return the enror code TCG.DEACTIVATED. 
TPM_Startup uses this flag to set the state of TCG_VOLATILE_FLAGS -> deactivated when 
the TPM is booted in the state stType==TCG_.ST_CLEAR. Only TCG^VOLATILE.FLAGS -> 
deactivated determines whether capabilities will return the error code TCG_DEACTIVATED. 
A change in TCG_PERSISTENT_FLAGS->deactivated therefore has no effect on whether 
capabilities will retum the error code TCG.DEACTIVATED until the next execution of 
TPM_Startup with stType==TCG_ST_GLEAR 

4. readPubek 

a. If readPubek is TRUE then the TPM.ReadPubek will return the PUBEK. if FALSE the 
command will return TCG_DISABLED_GMD. 

5. DisableOwnerClear 

If disableOwnerClear is TRUE then the clear commands requiring owner authorization will retum 
TCG_CLEAR_DISABLED, if false the commands will execute. 

6. TPMpost 

If TPMpost (TPM power-on-self-test) is TRUE, a TPM will perform all self-test functions before pennitting 
any other command to execute. This may be necessary if a TPM is required to satisfy the requirements of 
the FIPS standard. 

The method of changing TPMpost is manufacturer specific. It may be sufficient to provide such a method 
just for use of manufacturers, or not at all. 

7. TPMpostLock 
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If TPMpostLock is TRUE, the value of TPMpost cannot be changed. This SHOULD be a lifetime lock: 
once TPMpostLock is TRUE, it SHOULD not be possible to change it to FALSE. 

The method of changing TPMpostLock is manufacturer specific. It may be sufficient to provide such a 
method just for use of manufacturers, or not at all. 
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4.13.3 TCG VOLATILE.FLAGS Structure 




IDL Definition 

typedef struct tdTCG_VOLATILE_FLAGS { 

BOOL deactivated; 

BOOL disableForceClear; 

BOOL physicalPresence; 

BOOL physicalPresenceLock; 

BOOL postlnitialise; 
} TCG_VOLATILE_FLAGS; 

Type 

TPM shielded location 



Parameters 



Type 


Name 


Description 


BOOL 


deactivated 


Prevents the operation of most capabilities. There Is no 
default state. It is initialized by TPM Startup to the same 
value as TCG_PERSISTENT_FLAGS -> deactivated. 
TPM_SetTempDeactivated sets it to TRUE. 


BOOL 


disableForceClear 


Prevents the operation of TPM_ForceClear when TRUE. 
The default state is FALSE. TPM_DtsableForceClear sets it 
to TRUE. 


BOOL 


physicalPresence 


Software indication whether an Owner is physically present. 
The default state is FALSE (Owner is not physically present) 


BOOL 


physicalPresenceLock 


Indicates whether changes to the physicalPresence flag are 
permitted. TPM_Startup/ST_CLEAR sets PhysicalPresence 
to its default state of FALSE (allow changes to 
PhysicalPresence flag). The meaning of TRUE is: Do not 
allow further changes to PhysicalPresence flag. 
TSC_PhyslcalPresence can change the state of 
physicalPresenceLock. 


BOOL 


postlnitialise 


Prevents the operation of most capabilities. There is no 
default state. It is initialized by TPM_lnit to TRUE. 
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[ TPM_Startup sets it to FALSE. 



Description 

The data structure TCG_VOLATILE_FLAGS SHALL exist only in a TPM shielded-location. 
The data structure TCG_VOLATILE_FLAGS MAY be held in non-volatile storage. 
Actions 

1. Deactivated flag 

a. If deactivated is TRUE the following commands SHALL execute with their nonmal protections 

I. TPM_Reset 
ii. TPMJnIt 
ill. TPM_Startup 
iv. TPM_SaveState 
V. TPM.SHAI Start 

vi. TPM_SHA1 Update 

vii. TPM_SHA1 Complete 

viii. TPM_SHA1 Complete Extend 
Ix. TSC_PhysicalPresence 

X. TPM_OlAP 

xi. TPM_OSAP 

xii. TPM_GetCapability 
xlii. TPM_TakeOwnership 
xiv. TPM_OwnerSetDisable 

XV. TPM_PhysicalDisable 

xvi. TPM_PhysicalEnable 

xvii. TPM_PhysicalSetDeactivated 
xvlii. TPM_ContinueSelfTest 

xix. TPM^SelfTestFull 
XX. TPM_GetTestResult 
xxi. TPM_TermlnateHandle 

b. All other commands SHALL retum TCG^DEACTIVATED, 

2. DisableForceClear 

If dIsableForceClear is TRUE then the TPM^ForceClear command retums 
TCG_CLEAR_DISABLED. if FALSE then the command will execute. 

3. PhysicalPresence 

If PhysicalPresence is TRUE and TCG.PERSISTENT^FLAGS -> physicalPresenceCMDEnable 
is TRUE, the TPM MAY assume that the Owner is physically present. If physicalPresence is 
TRUE and TCG_PERSISTENT_FLAGS -> physicalPresenceCMDEnable is TRUE, and physical 
alteration of the platform is necessary to subvert physicalPresence, physicalPresence MAY 
indicate unambiguous physical presence to TPM_PhysicalEnable. If physicalPresence is FALSE. 
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the TPM MUST obtain assertion of physical presence of the Owner from an alternative credible 
source, such as a hardware signal indicating physical presence. 

4. physicaiPresenceLock 

If physicaiPresenceLock is TRUE. TSC_PhysicalPresence MUST NOT change the 
physicaiPresence flag. If physicaiPresenceLock is FALSE. TSC^PhysicalPresence will operate. 

5. postlnitialise 

a. If postlnitialise is TRUE, TPM_Startup SHALL execute as nonnal 

b. All other commands SHALL retum TCGJNVALID_POSTiNiT 
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4.14 TCG PAYLOAD TYPE 




Definition 

typedef unsigned char TCG_PAYLOAD_TYPE; 
TCG PAYLOAD TYPE Values 



Value 


Name 


Comments 


0x01 


TCG_PT_ASYM 


The entity is an asymmetric key 


0x02 


TCG_PT_B!ND 


The entity is bound data 


0x03 


TCG_PT_MIGRATE 


The entity is a migration blob 


0x04 


TCG_PT_MAINT 


The entity is a maintenance blob 


0x05 


TCG_PT_SEAL 


The entity is sealed data 


0x06 -0x7F 




Reserved for future use by TCG 


0x80 -OxFF 




Vendor specific payloads 
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4.15 TCG ENTITY TYPE 




TCG ENTITY TYPE Values 



Value 


Event Name 


Comments 


0x0001 


TCG_ET_KEYHANDLE 


The entity is a keyHandle 


0x0002 


TCG_ET_OWNER 


The entity is the TPM Owner 


0x0003 


TCG_ET_DATA 


The entity is sonne data 


0x0004 


TCG.ET.SRK 


The entity is the SRK 


0x0005 


TCG^ET^KEY 


The entity is a Icey 



Description 

For the entity type of TCG_ET_OWNER the associated key handle MUST be 0x40000001 
For the entity type of TCG_ET_SRK the associated key handle MUST be 0x40000000 
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4.16 TCG^STARTUP TYPE 




TCG_STARTUP_TYPE Values 



Value 


Event Name 


Comments 


0x0001 


TCG_ST_CLEAR 


The TPM is starting up from a clean state 


0x0002 


TCG.ST_STATE 


The TPM is starting up from a saved state 


0x0003 


TCG_ST_DEACTIVATED 


The TPM is to startup and set the deactivated flag to 
TRUE 
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4.17 TCG PROTOCOL JD 




Definition 

typedef UINT16 TCG_PROTOCOL_ID; 
TCG.PROTOCOLJD Values 



Value 


Event Name 


Comments 


0x0001 


TCG_PlD_OIAP 


The GIAP protocol. See 5.2.1 


0x0002 


TCG_PID_OSAP 


The OSAP protocol. See 5.2.4 


0x0003 


TCG_PID_ADIP 


The ADIP protocol. See 5.4 


0X0004 


TCG_PID_ADCP 


The ADCP protocol. See 5.6 


0X0005 


TCG_PID_OWNER 


The protocol for taking ownership of a TPM. See 5.1 1 
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4.18 TCG ALGORITHM ID 




TCG ALGORITHMJD values 



Name 


Value 


Description 


TCG_ALG_RSA 


0x00000001 


The RSA algorithm. 


TCG_ALG_DES 


0x00000002 


The DES algorithm 


TCG_ALG_3DES 


0X00000003 


The 3DES algorithm 


TCG_ALG_SHA 


0x00000004 


The SHA1 algorithm 


TCG_ALG_HMAC 


0x00000005 


The RFC 2104 HMAC algorithm 


TCG_ALG_AES 


0x00000006 


The AES algorithm 



The TPM MUST support the algorithms TCG_ALG_RSA, TGG_ALG_SHA. TCG_ALG_HMAC. 
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4.19 TCG PHYSICAL PRESENCE 



Name 


Value 


Description 


TCG_PHYSICAL_PRESENCE_LIFETIME_LO 
CK 


OxOOSOh 


Sets the physicalPresenceLifetimeLock 
to TRUE 


TCG_PHYS I CAL_PRESENCE_HW_ENABLE 


0x0040h 


Sets the physicalPresenceHWEnable to 
TRUE 


TCG_PHYSICAL_PRESENCE_CMD_ENABLE 


0x0020h 


Sets the physicalPresenceCMDEnable 
to TRUE 


TCG__PHYSICAL_PRESENCE_NOTPRESENT 


OxOOlOh 


Sets PhysicalPresence = FALSE 


TCG_PHYSICAL_PRESENCE_PRESENT 


OxOOOSh 


Sets PhysicalPresence = TRUE 


TCG_PHYSICAL_PRESENCE_LOCK 


0x0004h 


Sets PhysicalPresenceLock = TRUE 
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4-20 TCG KEY_PARMS 




Definition 

typedef struct tdTCG_KEY_PARMS { 

TCG_ALGORITHM_ID algorithmID; 
TCG_ENC_SCHEME encScheme; 
TCG_SIG_SCHEME sigScheme; 
UINT32 parmSize; 

[si2e_is (parmSize) ] BYTE* parms; 
} TCG_KEY_PARMS; 



Parameters 



Type 


Name 


Description 


TCG.ALGORITHMJD 


algorithmID 


This SHALL be the key algorithm in use 


UINT32 


parmSize 


This SHALL be the size of the parms field in bytes 


TCG_ENC_SCHEME 


encScheme 


This SHALL be the encryption scheme that the key uses 
to encrypt information see section 8.4 


TCG_SIG_SCHEME 


sigScherae 


This SHALL be the signature scheme that the key uses 
to perform digital signatures see section 8.5 


BYTEQ 


parms 


This SHALL be the parameter information dependant 
upon the key algorithm. 



Descriptions 

The contents of the 'perms' field will vary depending upon algorithmid: 



Algorithm Id 


PARMS Contents 


TCG_ALG_RSA 


A structure of type TCG_RSA_KEY_PARMS 


TCG_ALG_DES 


No content 


TCG_ALG_3DES 


No content - Need description of key size (3 full keys etc) and mode EDE etc. 


TCG.ALG^SHA 


No content 


TCG.ALG_HMAC 


No content 


TCG_ALG_AES 


No content - Need description of key size (128. 192, 256) 



4.20.1 TCG RSA_KEY_PARMS 
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Definiti n 

typedef struct tdTCG_RSA_KEY_PARMS { 

UINT32 keyLength; 

UINT32 numPrimes; 

UINT32 exponentSize; 

BYTE[] exponent; 
} TCG__RSA_KEY_PARMS; 



Parameters 



Type 


Name 


Description 


UINT32 


keyLength 


Tliis specifies the size of the RSA key in bits 


UINT32 


numPrimes 


This specifies the number of prime factors used by this RSA key. 


UINT32 


exponentSize 


This SHALL be the size of the exponent. If the key is using the 
exponent from 10.4.1 then the exponentSize MUST be 0. 


BYTED 


exponent 


The public exponent of this key 
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4.21 TCG CHANGEAUTH VALIDATE 




Definition 



typedef struct tdTCG_CHANGEAUTH_VALIDATE { 

TCG_SECRET newAuthSecret; 

TCG_NONCE nl; 
} TCG_CHANGEAUTH VALIDATE; 



Parameters 



Type 


Name 


Description 


TCG.SECRET 


newAuthSecret 


This SI-IALL be the new authorization data for the target entity 


TCG_NONCE 


nl 


This SHOULD be a nonce, to enable the caller to verify that the target 
TPM is on-line. 
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4.22 TCG MIGRATE SCHEME 




Definition 

TCG MIGRATE SCHEIME values 



Name 


Value 


Description 


TCG_MS_I\/IIGRATE 


0x0001 


A public key that can be used with all TCG migration commands 
other than *ReWrap' mode. 


TCG_MS_REWRAP 


0x0002 


A public key that can be used for the ReWrap mode of 
TPM_CreateMigrationBlob. 


TCG_MS_MAINT 


0x0003 


A public key that can be used for the Maintenance commands 
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4.23 TCG MIGRATIONKEYAUTH 




Definition 



typedef struct tdTCG_MIGRATIONKEYAUTH{ 

TCG_PUBKEY itiigrationKey ; 

TCG_MIGRATE_SCHEME migrationScheme; 

TCG_DIGEST digest; 
} TCG MIGRATIONKEYAUTH; 



Parameters 



Type 


Name 


Description 


TCG.PUBKEY 


migrationKey 


This SHALL be the public key of the migration facility 


TCG MIGRATE 
^SCHEME 


migrationScheme 


This shall be the type of migration operation. 


TCG.DIGEST 


digest 


This SHALL be the digest value of the concatenation of 
migration key. migration scheme and tpmProof 
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4.24 TCG AUDIT EVENT structure 




IDL Definition 

typedef struct tdTCG_AUDIT_EVENT( 
TCG_COMMAND_CODE ordinal; 
TCG_RESULT returncode; 

} TCG_AUDIT_EVENT; 



Parameters 



Type 


Name 


Description 


TCG_COMMAND_CODE 


ordinal 


Ordinal of the command 


TCG_RESULT 


returncode 


Return code for the command 
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4.25.1 TCG EVENT.CERT 




Definition 

typedef struct tdTCG_EVENT_CERT { 
TCG_DIGEST certif icateHash; 
TCG_DIGEST enti tyDigest ; 
BOOL digestChecked; 
BOOL digestVerif ied; 
UINT32 issuerSize; 

[size_is (IssuerSize) 3 BYTE * issuer; 
) TCG___EVENT_CERT; 



Parameters 



Type 


Name 


Description 


TCG_DIGEST 


certlficateHash 


Hash of the entire VE certificate 


TCG_DIGEST 


entityDigest 


Actual digest value of the entity 


BOOL 


digestChecked 


TRUE if the entity logging this event checked the 
measured value against the digest value in the certificate. 

FALSE if no checking was attempted. 


BOOL 


digestVerified 


Only valid when DigestChecked is TRUE. 

TRUE if measured value matches digest value in 
certificate. FALSE otherwise. 


UINT32 


issuerSize 


Size of the Issuer parameter 


BYTE* 


issuer 


Actual issuer certificate 
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4.25.2 TCG PCR.EVENT 
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Definition 

typedef struct tdTCG_PCR__SELECTION { 
UINT16 sizeOfSelect; 

[size_is (sizeOf Select) ] BYTE pcrSelect[]; 
} TCG_PCR_SELECTION; 



Parameters 



Type 


Name 


Description 


UINT16 


SizeOfSelect 


The size in bytes of the pcrSelect structure 


BYTE 


pcrSelect 


This SHALL be a bit map that indicates if a PGR is 
active or not 



Description 

When the least-significant-bit of byte [N+1] of pcrSelect is butted against the most-significant-bit of byte 
[Nl of pcrSelect for (15>=N>=0). the contiguous bit an-ay so formed SHALL represent PGR indices in 
monotonically increasing order, starting from PGR index zero represented by bit 0 of byte 0 of pcrSelect. 
The state of each bit in pcrSelect indicates whether a PGR register is selected or not. When the bit is 1 
then the corresponding PGR is selected, if 0 the PGR is not selected. 

pcrSelect SHALL explicitly indicate the selection or deselection of every PGR supported by the target 
TPM A TPM MAY support a value of sizeOfSelect that is greater than the minimum size of pcrSelect. In 
v1 of the specification, this means that a TPM MUST support a sizeOfSelect greater than or equal to two. 
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4.25.4 TCG^PCR^COMPOSITE 




Definition 

typedef struct tdTCG_PCR_COMPOSITE { 
TCG_PCR_SELECTION select; 
UINT32 valueSize; 

[size_is (valueSize) ] TCG_PCRVALUE pcrValue [ ] ; 
) TCG_PCR_COMP0SITE; 



Parameters 



Type 


Name 


Description 


TCG_PCR„SELECTiON 


select 


This SHALL be the indication of which PGR vaiues are 
active 


UINT32 


valueSize 


This SHALL be the size of the pcrValue field 


TCG_PCRVALUE 


pcrValue [ ) 


This SHALL be an array of TCG_PCR VALUE structures. 
The values come in the order specified by the select 
parameter and are concatenated into a single blob 
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4.25.5 TCG_PCRJNFO 




Definition 



typedef struct tdTCG_PCR_INFO { 

TCG_PCR_SELECTION pcrSelection ; 
TCG_COMP0SITE_HASH digestAtRelease; 
TCG_COMPOSITE_HASH digestAtCreation; 
} TCG_PCR_INFO; 



Parameters 



Type 


Name 


Description 


TCG PCR_SELECTION 


pcrSelection 


This SHALL be the selection of PCRs to which the 
data or key is bound. 


TCG_COMPOS I TE_H AS H 


digestAtRelease 


This SHALL be the digest of the PGR indices and 
PGR values to verify when revealing Sealed Data 
or using a key that was wrapped to PGRs. 


TCG_COMPOS I TE_HASH 


digestAtCreation 


This SHALL be the composite digest value of the 
PGR values, at the time when the sealing is 
performed. 
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4.26 St rage Structures 




Definition 

typedef struct tdTCG_STORED_DATA { 
TCG_VERSrON ver; 
UINT32 seallnfoSize; 

[size_is (seallnfoSize) ) BYTE* seallnfo; 
UINT32 encDataSize; 

[size_is (encDataSize) ] BYTE* encData; 
} TCG STORED DATA; 



Parameters 



Type 


Name 


Description 


TCG_VERSION 


ver 


Version number defined in section 4.5. 


UINT32 


seallnfoSize 


Size of the seallnfo parameter 


BYTE* 


seallnfo 


This SHALL be a structure of type 
TCG_PCRJNFO or a 0 length array if the 
data is not bound to PCRs. 


UINT32 


encDataSize 


This SHALL be the size of the encData 
parameter 


BYTE* 


encData 


This shall be an encrypted 
TCG_SEALED_DATA structure containing the 
confidential part of the data. 



Descriptions 

This structure is created during the TPM^Seal process. The confidential data is encrypted using a non- 
migratable key. When the TPM.Unseal decrypts this structure the TPM^Unseal uses the public 
information in the structure to validate the cunrent configuration and release the decrypted data. 
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4.26.2 TCG_SEALED_DATA 




Definition 



typedef struct tdTCG_SEALED_DATA { 
TCG_PAYLOAD_TYPE pay load; 
TCG_SECRET authData; 
TCG_NONCE tpmProof; 
TCG_DIGEST storedDigest ; 
UINT32 dataSize; 
[size_is (dataSize) ] BYTE* data; 
} TCG_SEALED_DATA; 



Parameters 



Type 


Name 


Description 


TCG„PAYLOAD_TYPE 


payload 


This SHALL Indicate the payload type of 
TCG_PT__SEAL 


TCG_SECRET 


authData 


This SHALL be the authorization data for this value 


TCG.NONCE 


tpmProof 


This SHALL be a copy of 
TPM_PERSISTENT_FLAGS -> tpmProof 


TCG.DIGEST 


StoredDigest 


This SHALL be a digest of the TCG„STORED_DATA 
structure, excluding the fields 
TCG STORED DATA -> encDataSize and 
TCG_STORED_DATA -> encData. 


UINT32 


dataSize 


This SHALL be the size of the data parameter 


BYTE* 


data 


This SHALL be the data to be sealed 



Description 

To tie the TCG_STORED_DATA structure to the TCG_SEALED_DATA structure this structure contains a 
digest of the containing TCG_STORED_DATA structure. 

The digest calculation does not include the encDataSize and encData parameters. 
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4.26.3 TCG_SYMMETRIC_KEY 




typedef struct tdTCG_SYMMETRIC__KEY { 
TCG_ALGORITHM_ID algid; 
TCG_ENC_SCHEME encScheme; 
UINT16 size; 

[size_is (size) ] BYTE* data; 
} TCG_SYMMETRIC_KEY; 



Parameters 



Type 


Name 


Description 


TCG_ALGORITHM JD 


algid 


This SHALL be the algorithm identifier of the symmetric 
key. 


TCG_ENC_SCHEME 


encScheme 


This SHALL fully identify the manner in which the key 
will be used for encryption operations. 


UINT16 


size 


This SHALL be the size of the data parameter in bytes 


BYTE* 


data 


This SHALL be the symmetric key data 
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4.26.4 TCG_BOUND_DATA 




typedef struct tdTCG_BOUND_DATA { 
TCG_VERSION ver; 
TCG_PAYLOAD_TYPE pay load; 
BYTE [ 1 payloadData ; 
} TCG__BOUND_DATA; 



Parameters 



Type 


Name 


Description 


TCG_VERSION 


ver 


Version number defined in section 4.5. 


TCG_PAYLOAD_TYPE 


payload 


This SHALL be the value TCG_PT_BIND 


BYTE [ ] 


payloadData 


The bound data 



Descriptions 

This structure MUST be used for creating data when (wrapping with a key of type TPM_KEY_BIND) or 
(wrapping using the encryption algorithm TCG_ES_RSAESOAEP_SHA1_M). If it is not. the TPM.UnBind 
command will fail. 
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4.27 TCG_KEY complex 
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4.27.1 TCG KEY 




Definition 



typedef struct tdTCG_KEY{ 
TCG_VERSION ver; 
TCG_KEY_USAGE keyUsage; 
TCG_KEY_FLAGS JceyFlags; 
TCG_AUTH_DATA_USAGE authDataUsage; 
TCG_KEY_PARMS algorithmParms ; 
UINT32 PCRInfoSize; 
BYTE* PCRInfo; 
TCG_STORE_PUBKEY pubKey; 
UINT32 encSize; 

[size_is (encData) BYTE* encData; 
} TCG_KEY; 



Parameters 



Type 


Name 


Description 


TCG_VERSION 


ver 


Version number defined in section 4.5. 


TCG__KEY_USAGE 


keyUsage 


This SHALL be the TCG key usage that determines 
the operations permitted with this key 


TCG_KEY_FLAGS 


keyFlags 


This SHALL be the indication of migration, 
redirection etc. 


TCG_AUTH_DATA_USAGE 


authDataUsage 


This SHALL Indicate the conditions where it is 
required that authorization be presented. 


TCG_KEY_PARMS 


algorithmParms 


This SHALL be the information regarding the 
algorithm for this key 


UINT32 


PCRInfoSize 


This SHALL be the length of the pcrlnfo parameter. 
If the key is not bound to a PCR this value SHOULD 
beO. 


BYTE* 


PCRInfo 


This SHALL be a stmcture of type 
TCG_PCRJNFO, or an empty an-ay if the key is not 
bound to PCRs. 


TCG_STORE_PUBKEY 


pubKey 


This SHALL be the public portion of the key 


UINT32 


encSize 


This SHALL be the size of the encData parameter. 


BYTE* 


encData 


This SHALL be an encrypted 
TCG STORE ASYMKEY structure 
TCG MIGRATE ASYMKEY structure 
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typedef struct tdTCG_STORE_PUBKEY { 
UINT32 keyLength; 



BYTE[] key; 
} TCG_STORE_PUBKEY; 

Parameters 


Type 


Name 


Description 


UINT32 


keyLength 


This SHALL be the length of the key field. 


BYTE [ ] 


key 


This SHALL be a structure interpreted according to the algorithm Id in 
the corresponding TCG_KEY„PARMS stmcture. 


Descriptions 

The contents ( 


3f the 'key' field will vary depending upon the corresponding key algorithm: 


Algorithm Id 


■Key' Contents 


TCG_ALG_RSA 


The RSA public modulus 
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4.27.3 TCG^PUBKEY 




Definition 



typedef struct tdTCG_PUBKEY { 

TCG_KEY_PARMS algorithmParms ; 
TCG_STORE_PUBKE Y pubKe y ; 
} TCG^PUBKEY; 



Parameters 



Type 


Name 


Description 


TCG_KEY_PARMS 


algorithmParms 


This SHALL be the information regarding this key 


TCG STORE_PUBKEY 


pubKey 


This SHALL be the public key infomnation 



Descriptions 

The pubKey member of this structure shall contain the public key for a specific algorithm. 
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4.27.4 TCG STORE.ASYMKEY 




Definition 



typedef struct tdTCG_STORE_ASYMKEY { 

rCG_PAYLOAD_TYPE payload; 

TCG_SECRET usageAuth; 

TCG__SECRET migrationAuth; 

TCG_DIGEST pubDataDigest; 

TCG_STORE_PRIVKEY privKey; 
} TCG_STORE_ASYMKEY; 



Parameters 



Type 


Name 


Description 


TCG_PAYLOAD_T Y PE 


payload 


This SHALL set to TCG_PT_ASYM to indicate an asymmetric 
key. 


TCG_SECRET 


usageAuth 


This SHALL be the authorization data necessary to authorize 
the use of this value 


TCG_SECRET 


migrationAuth 


This SHALL be the migration authorization data for a 
migratable key, or the TPM secret value tpmProof for a non- 
migratable key created by the TPM. 

If the TPM sets this parameter to the value tpmProof. then the 
TCG KEY.key Flags. migratable of the corresponding 
TCG_KEY structure MUST be set to 0. 

If this parameter is set to the migration authorization data for 
the key in parameter PrivKey. then the 
TCG KEY.keyFlags.migratable of the corresponding 
TCG^KEY structure SHOULD be set to 1 . 


TCG_DIGEST 


pubDataDigest 


This SHALL be the digest of the corresponding TCG_KEY 
structure, excluding the fields TCG_KEY.encSize and 
TCG_KEY.encData. 

When TCG_KEY -> pcrinfoSize is 0 then the digest calculation 
has no input from the pcrlnfo field. The pcrinfoSize field MUST 



// pos len total 

// 0 1 1 

// 1 20 21 

// 21 20 41 

// 41 20 61 

// 61 132-151 193-214 
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always be part of the digest calcuation. 


TCG_STORE_PRIVKEY 


privKey 


This SHALL be the private key data. The privKey can be a 
variable length which allows for differences in the key format. 
The maximum size of the area would be 151 bytes. 
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4.27.5 TCG^STORE^PRIVKEY 




typedef struct tdTCG_STORE_PRIVKEY { 

UINT32 keyLength; 

[size^is (keyLength) ] BYTE* key; 
} TCG_STORE_PRIVKEY; 



Parameters 



Type 


Name 


Description 


UINT32 


keyLength 


This SHALL be the length of the key field. 


BYTE* 


key 


This SHALL be a structure Interpreted according to 
the algorithm Id in the corresponding TCG_KEY 
structure. 



Descriptions 

All migratable keys MUST be RSA keys with two (2) prime factors. 

For non-migratable keys, the size, forniat and contents of privKey.key MAY be vendor speafic f 

not be the same as that used for migratable keys. The level of cryptographic protection MUST be at least 

as strong as a migratable key. 



Algorithm Id 


key Contents 


TCG_ALG_RSA 


When the numPrimes defined in the conresponding TCG_RSA_KEY_PARMS 
field is 2. this shall be one of the prime factors of the key. Upon loading of the 
key the TPM calculates the other prime factor by dividing the modulus, stated 
in section 10.4.1 : TCG_RSA_PUBKEY. by this value. 

The TPM MAY support RSA keys with more than two prime factors. Definition 
of the storage stmcture for these keys is left to the TPM Manufacturer. 
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4.27.6 TCG_MIGRATE_ASYMKEY 




Definition 

typedef struct tdTCG_MIGRATE_ASYMKEY 

TCG_PAYLOAD_TYPE payload; 

TCG_SECRET usageAuth; 

TCG_DIGEST pubDataDigest; 

UINT32 partPrivKeyLen; 

TCG_STORE_PRIVKEY partPrivKey; 
} TCG MIGRATE_ASYMKEY; 



// 


pos 


len 


total 


// 


0 


1 


1 


// 


1 


20 


21 


// 


21 


20 


41 


// 


41 


4 


45 


// 


45 


112-127 


157-172 



Parameters 



Type 


Name 


Description 


TCG_PAYLOAD_TYPE 


payload 


This SHALL set to TCG_PT_MIGRATE to indicate an 
migrating asymmetric l^ey or TCG„PT_MAINT to 
indicate a maintenance key. 


TCG_SECRET 


usageAuth 


This SHALL be a copy of the usageAuth from the 
TCG_STORE_ASYMKEY structure. 


TCG__DIGEST 


pubDataDigest 


This SHALL be a copy of the pubDataDigest from the 
TCG_STORE_ASYMKEY structure. 


UINT32 


partPrivKeyLen 


This SHALL be the size of the partPrivKey field 


TCG_STORE_PRIVKEY 


partPrivKey 


This SHALL be the k2 area as defined in section 
7.2.11 



Versi nl.la 1 Set mber2001 



TCG Main Specification 



Page 75 



4.28 TCG CERTIFY INFO Structure 




IDL Definition 

typedef struct tdTCG_CERTIFY_INFO{ 
TCG^VERSION version; 
TCG_KEY_USAGE keyUsage; 
TCG_KEY_FLAGS keyFlags; 
TCG_AUTH_DATA_USAGE authDataUsage; 
TCG_KEY_PARMS algorithmParms ; 
TCG_DIGEST pubkeyDigest ; 
TCG_NONCE data; 
BOOL parentPCRStatus; 
UINT32 PCRInfoSize; 

[size_is (pcrlnfoSize) ] BYTE* PCRInfo; 



Parameters 



Type 


Name 


Description 


TCG^VERSION 


version 


TCG version structure; section 4.5 . 


TCG_KEY_USAGE 


keyUsage 


This SHALL be the same value that would be set in a 
TCG_KEY representation of the key to be certified 


TCG_KEY_FI-AGS 


keyFlags 


This SHALL be set to the same value as the 
con-esponding parameter in the TCG_KEY stmcture that 
describes the public key that is being certified 


TCG AUTH DATA 
USAGE 


authDataUsage 


This SHALL be the same value that would be set in a 
TCG_KEY representation of the key to be certified 


TCG_KEY_PARMS 


algorithmParms 


This SHALL be the same value that would be set in a 
TCG_KEY representation of the key to be certified 


TCG.DIGEST 


pubKeyDigest 


This SHALL be a digest of the value TCG_KEY -> 
pubKey -> key in a TCG_KEY representation of the key 
to be certified 


TCG_NONCE 


data 


This SHALL be externally provided data. 


BOOL 


parentPCRStatus 


This SHALL indicate if any parent key was wrapped to a 

PGR 


UINT32 


PCRInfoSize 


This SHALL be the size of the pcrlnfb parameter. A 
value of zero indicates that the key is not wrapped to a 
PGR 


BYTE* 


PCRInfo 


This SHALL be the TCG^PCRJNFO stmcture. 
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4.29 TCG QUOTE INFO Structure 



iThiS sti^jctijre prwic 



IDL Definition 

typedef struct tdTCG_QUOTE_INFO { 
TCG_VERSION version; 
BYTE fixed [4 3; 

TCG__COMPOSITE_HASH digestValue; 
TCG_NONCE externalData, 
} TCG_QU0TE_INFO; 



Parameters 



Type 


Name 


Description 


TCG_VERSION 


version 


TCG version structure; section 4.5 


BYTE 


fixed 


This SHALL always be tine stnng 'QUOr 


TCG_COMPOSITE_HASH 


digestValue 


This SHALL be the result of the composite hash 
algorithm using the current values of the requested 
PGR indices. 


TCG^NONCE 


externalData 


160 bits of externally supplied data 
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4.30 Identity Structures 



4.30.1 TCGJDENTITY_CONTENTS 




Definition 

.typedef struct tdTCG_IDENTITY_CONTENTS { 
TCG_VERSION ver 
UINT32 ordinal, 
TCG_CHOSENID_HASH labelPrivCADigest , 
TCG_PUBKEY identityPubKey; 

} TCG_IDENTITY_CONTENTS; 



Parameters 



Type 


Name 


Description 


TCG_VERSION 


ver 


This SHALL be the version specified in 
section 4.5. 


UINT32 


ordinal 


This SHALL be the ordinal of the 
TPM_Makeldentlty command. 


TCG_CHOSENID_HASH 


labelPrivCADigest 


This SHALL be the result of hashing the 
chosen identityLabel and privacyCA for the 
new TPM identity (see 1 0.4.6 for details) 


TCG_PUBKEY 


identityPubKey 


This SHALL be the public key structure of the 
identity key 
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4.30.2 TCG JDENTITY^REQ 




Parameters 



Type 


Name 


Description 


UINT32 


asymSize 


This SHALL be the size of the asymmetric 
encrypted area created by 
TSS_CollateldentltyRequest 


UINT32 


symSize 


This SHALL be the size of the symmetric 
encrypted area created by 
TSS.CollateldentityRequest 


TCG.KEY^PARMS 


asymAlgorithm 


This SHALL be the parameters for the asymmetric 
algorithm used to create the asymBlob 


TCG^KEY.PARMS 


symAlgorithm 


This SHALL be the parameters for the symmetric 
algorithm used to create the symBlob 


BYTE* 


asymBlob 


This SHALL be the asymmetric encrypted area 
from TSS_CollateldentityRequest 


BYTE* 


symBlob 


This SHALL be the symmetric encrypted area 
from TSS_CollateldentityRequest 
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4.30.3 TCG IDENTITY^PROOF 















Type 


Narne 


Descrintion 






This SIHALL be the version specified in section 4.5. 


UlfM 1 0£. 




This SHALL be the size of the label area 


UINT32 


identi tyBindingSi ze 


This SHALL be the size of the identityblnding area 


UINT32 


endorsementSize 


This SHALL be the size of the endorsement 
credential 


UINT32 


piatformSize 


This SHALL be the size of the platform credential 


UINT32 


conf ormanceSize 


This SHALL be the size of the conformance 
credential 


TCG^PUBKEY 


identityKey 


This SHALL be the public key of the new identity 


BYTE* 


labelArea 


This SHALL be the text label for the new identity 


BYTE* 


identityBinding 


This SHALL be the signature value of 
TCGJDENTITY_CONTENTS structure from the 
TPM_Makeldentity command 


BYTE* 


endorsementCredential 


This SHALL be the TPM endorsement credential 


BYTE* 


platformCredential 


This SHALL be the TPM platform credential 


BYTE* 


conformanceCredential 


This SHALL be the TPM conformance credential 
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4.30.4 TCG ASYM_CA_CONTENTS 




Definition 

typedef struct tciTCG_ASYM_CA__CONTENTS { 
TCG_SYMMETRIC_KEY sessionKey; 
TCG_DIGEST idDigest; 

} TCG_ASYM_CA_CONTENTS; 



Parameters 



Type 


Name 


Description 


TCG_SYMMETR1C_KEY 


sessionKey 


This SHALL be the session key used by the CA to encrypt 
the TCGJDENTITY_CREDENTiAL 


TCG.DIGEST 


idDigest 


This SHALL be the digest of the TPM identity public key 
that is being certified by the CA 
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4.30.5 TCG.SYM.CA_ATTESTATION 




Type 


Name 


Description 


UINT32 


credSize 


This SHALL be the size of the credential parameter 


TCG_KEY_PARMS 


algorithm 


This SHALL be the indicator and parameters for the 
symmetric algorithm 


BYTE* 


credential 


This is the result of encrypting 

TPM JDENTITY_CREDENTIAL using the session^key and 
the algorithm indicated "algorithm" 
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4.31 TCG CAPABILITY AREA 




Value 


Capability Name 


Comments 


0x00000001 


TCG^CAP.ORD 


Queries whether a command is supported. 


0x00000002 


TCG_CAP_ALG 


Queries whether an algorithm is supported. 


0x00000003 


TCG.GAP.PID 


Queries whether a protocol is supported. 


0x00000004 


TCG^CAP^FLAG 


Queries whether a flag is on or off. 


0x00000005 


TCG_CAP_PROPERTY 


Determines a physical property of the TPIVI. 


0x00000006 


TCG_CAP_VERSION 


Queries the current TPM version. 


0x00000007 


TCG.GAP_KEY_HANDLE 


Obtains information about all key handles 


0x00000008 


TPM_CAP_CHECK,LOADED 


Obtains infomnation about the ability to load a key 


0x00000009 






OxOOOOOOOA 






OxOOOOOOOB 
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4.32 Cr d ntials 
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4.32.1 Evidence of Subsystem End rsement 




Description 

struct TPM_ENDORSEMENT_CREDENTIAL = { 

BYTE label = "TCG Trusted Platform Module Endorsement* 

TCG_PUBKEy pub 1 ic_endors erne nt_lcey 

REFERENCE tpm_model 

REFERENCE tpm_distributed_validation 
REFERENCE tprae_ref erence 

TCG_VERSION TCG_VERSION 
SIGNATURE signature_value } 



This is an abstract definition, section 9.5.1 contains the 
representation. 

Parameters 



concrete 



Type 


Name 


Description 


BYTE 


label 


This SHALL be the ASCII characters 



V rsi n1.1a 1 Set mber2001 



TCG Main Specification Page ^5 







**TC^C^ Tn iQtfaH Platform Module 
Endorsement" 


TCG.PUBKEY 


publ i c_endo r s emen t_ke y 


This SHALL be the PUBEK returned by a 

TPM_CreateEndorsementKeyPair 

command. 


REFERENCE 


tpm_model 


This SHALL be a reference to the type of 
implementation of protected capabilities 
and shielded locations that created the 
PUBEK, plus a reference to the identity of 
the manufacturer of that implementation. 


REFERENCE 


tpm_di s t ributed_validation 


This SHALL be a reference to fields that 
indicate the security qualities of the 
implementation of protected capabilities 

«9n/4 ehiAl/4AH InoatSnne Hist ^roatoH tho 

PUBEK. 


REFERENCE 


tpme_reference 


This SHALL be an unambiguous 
indication of the identity of the (TPM) 
entity that attests that the implementation 
of protected capabilities and shielded 
locations conforms to the TCG 
specification. 


TCG_VERSION 


TCG_VERSION 


This SHALL be the version specified in 
section 4.5. 


SIGNATURE 


signature_value 


This SHALL be the signature over all 
previous fields in 

TPM_ENDORSEMENT„CREDENTIAL. 
using the private key of the tpme- 
reference. 



When an entity presents evidence to a Privacy CA that an implementation of protected capabilities and 
shielded locations conforms to the TCG specification, that evidence SHALL include the data in the data 
structure TPM_ENDORSEMENT_CREDENTIAL. 

A (TPME) entity SHALL NOT create the data structure TPM_ENDORSEMENT_CREDENTIAL unless the 
entity is satisfied that the PUBEK referenced in TPM_ENDORSEMENT_CREDENTIAL was returned in 
response to a TPM_CreateEndorsementKeyPair command by an implementation of protected capabilities 
and shielded locations that meets the TCG specification. 

If the data structure TPM_ENDORSEMENT_CREDENTIAL is stored on a platform after an Owner has 
taken ownership of that platform, it SHALL exist only in storage to which access is controlled and is 
available to authorized entities. 
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4.32.2 Evidence f Platform End rsement 




Description 

When an entity presents evidence to a Privacy CA that a platform conforms to the TCG specification, that 
evidence SHALL Include the data in the data stmcture platform_credential. 
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An entity (PE) SHALL NOT create the data structure platform_credential unless th entity is satisfied that 
the platform conforms to the confonmance credential referenced inside platform_credential and contains 
the TPM referenced inside platform_credential. 

Definition 

struct PLATFORM_CREDENTIAL ={ 

ASCII_STRING ^"TCG Trusted Platform Endorsement" 

REFERENCE • tpm-credential-ref erence 

REFERENCE conformance-credential -reference 

REFERENCE platform_TBB 

REFERENCE platf orm_distributed_validation 

REFERENCE pe-reference 

TCG_VERSION TCG_VERSION 

SIGNATURE signature_value } 

This is an abstract definition, section 9.5.2 contains the concrete 
representation . 



Parameters 



Type 


Name 


Description 


ASCII_STRING 


"TCG Trusted Platform 
Endorsement" 


This SHALL be the ASCII string "TCG 
Trusted Platform Endorsemenf 


REFERENCE 


tpm-credential-ref erence 


This SHALL be an unambiguous indication 
of the endorsement credential of the TPM 
incorporated into the platform. 


REFERENCE 


conformance-credential- 
reference 


This SHALL be an unambiguous indication 
of the conformance UIDs that attest that the 
design of the platform conforms to the TCG 
specification. 


REFERENCE 


plat f orm_TBB 


This SHALL be a reference to the type of 
the platform, including the TCG foundations 
in the platform, plus a reference to the 
identity of the manufacturer of that platform. 


REFERENCE 


platf orm_distributed__valid 
ation 


This SHALL be fields that indicate the 
general security qualities of the platform. 


REFERENCE 


pe-reference 


This SHALL be an unambiguous indication 
of the identity of the (platform) entity that 
attests to the design and construction of the 
platform. 


TCG.VERSION 


TCG_VERSION 


This SHALL be the version specified in 
section 4.5. 


SIGNATURE 


signature_value 


This SHALL be the signature over all 
previous fields in platform_credential, using 
the private key of the pe-reference. 



If the data structure platform_credential is stored on a platform after an Owner has taken ownership of 
that platform, it SHALL exist only in storage to which access is controlled and is available to authorized 
entities. 
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4.32.3 Evidence of Platf rnfi C nf rmanc 




Description 

When an entity presents evidence to a Privacy CA that a platform conforms to the TCG specification, that 
evidence SHALL include the data in the data structure conformance_credential. 

A (conformance) entity SHALL NOT create the data structure confonnance_credential unless the entity is 
satisfied that the design of both the Subsystem and its incorporation Into the platform are accurately and 
unambiguously represented by the Information in conformance_credentlaI. 

typedef struct CONFORMANCE_CREDENTIAL =={ 

ASCII_STRING ''TCG Conformance Credential" 

CONFORM_UID tpm_pp 

CONFORM_UID tpm_st 

CONFORM_UID f oundation_pp 

CONFORM_UID f oundation_st 

REFERENCE ce_reference 

TCG_VERSION TCG_VERSI0N 

SIGNATURE signature 

} 

This is an abstract definition; section 9.5.3 contains the concrete representation. 
Parameters 



Type 


Name 


Description 


ASCILSTRING 


"TCG Conformance 
Credential" 


This SHALL be the ASCII string "TCG 
Conformance Credential" 


CONFORM_UID 


tpm_pp 


This SHALL be the UID that unambiguously 
identifies the protection profile of the TPM 


CONFORM_UID 


tpm_st 


This SHALL be the UID that unambiguously 
identifies the security target of the TPM 


CONFORM^UID 


f oundation_pp 


This SHALL be the UID that unambiguously 
identifies the protection profile of the TCG 
foundations in the platform. 


CONFORM^UID 


f oundation_st 


This SHALL be the UID that unambiguously 

— — «i ♦ ^^.^^v.^ t^/^ 
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identifies the security target of the TOG 

fniinriatinn^ in th6 Distfonm 


REFERENCE 


ce_ref erence 


This SHALL be an unambiguous indication of 
the identity of the (Conformance) entity that 
attests to the overall design of the platform. 


TCG^VERSION 


TCG_VERSION 


This SHALL be the version specified in section 

4.5. 


SIGNATURE 


signature_value 


This SHALL be the signature over all previous 
fields in CONFORMANCE^CREDENTIAL. 
using the private key of the ce_reference. 
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All components tliat influence the software environment in a platform SHOULD have corresponding 
validation data. 

The representation of a component SHALL reflect the way that the component influences the software 
environment in a platform. All representations SHALL include a description of the manufacturer, the 
common name of the component, the version of the component, and a field that describes the security 
qualities of the component. 

The representation of a component SHALL NOT In any way provide information that exposes the identity 
of a specific component. 

The validation data of a component SHALL be validation_data 
IDL Description 

typedef struct VALIDATION_DATA -{ 



ASCII_STRING 

ASCII_STRING 

ASCII_STRING 

ASCII_STRING 

DIGEST 

REFERENCE 

REFERENCE 

TCG_VERSION 

SIGNATURE 



'"TCG Validation Data" 
component__manuf acturer , 
component_name , 
component_ver s ion, 
instruction_digest, 
component_distributed_validation, 
ve_ref erence, 
TCG_VERSION, 

validation_data_signature_value } 



This is an abstract definition; section 9.5.4 contains the concrete representation. 
Parameters 



Type 


Name 


Description 


ASCILSTRING 


"TCG Validation Data" 


This SHALL be the ASCII string TCG 
Validation Data." 


ASCILSTRING 


component_manuf acturer 


This SHALL be an ASCII string stating the 
name of the manufacturer of the 
component. 


ASCILSTRING 


c ompo n e n t_n ame 


This SHALL be an ASCII string stating the 
common name of the component. 


ASCILSTRING 


component_version. 


This SHALL be an ASCII string stating the 
version of the component. 


DIGEST 


instruction_digest 


This SHALL be a digest of any 
instructions in the component that are 
intended to execute on the main 
computing engine of the platform. 


REFERENCE 


component_di stributed_ 
validation 


This SHALL be a convenient immediate 
reference to the security properties of the 
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reference to the security properties of the 
component. 


REFERENCE 


ve reference 


Indication of the identity of the (validation) 
entity that attests to the validation data. 


TCG^VERSION 


TCG_VERSION 


This SHALL be the version specified in 
section 4.5. 


SIGNATURE 


validation_data_signat 
ure_value 


This SHALL be the result of signing all 
fields (except this field) in 
VALIDATION_DATA using the signature 
(private) key of VE_reference. 



4.32.5 Evidence of Trusted Platform Module Identity 




Description 

When an entity presents evidence that an identity belongs to a Subsystem, that evidence SHALL include 
the data In the data structure TPMJDENTITY.CREDENTIAL. 

struct TPM_IDENTITY_CREDENTIAL ^{ 



ASCII_STRING 
UNICODE 
TCG_PUBKEY 
REFERENCE 
REFERENCE 
CONFORM__UID 
CONFORM_UID 
REFERENCE 
REFERENCE 
CONFORM_UID 
CONFORM_UID 
REFERENCE 



TCG Trusted Platform Identity" 
identityLabel 
identityPubKey 
tpm_model 

tpm__di s t r ibu t ed_val i da t i on 

tpin_pp 

tpm_st 

platf orm_model 

platform_distributed_validation 
f oundation_pp 
foundation's t 
p-ca_ref erence 



TCG_VERSION TCG_VERSION 
SIGNATURE signature_value } 



This is an abstract definition; section 9.5.5 contains the concrete representation. 
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Parameters 



Type 


Name 


Description 


ASCII^STRING 


'"TCG Trusted Platform 
Module Identity" 


This SHALL be the ASCII string "TCG Trusted 
Platform Identity." 


UNICODE 


identityLabel 


This SHALL be a textual string associated 
with the TPM identity. 


TCG.PUBKEY 


identityPubKey 


This SHALL be a public key associated with 
the TPM identity. 


REFERENCE 


tpm_model 


This SHALL be a reference to the type of TPM 
in the platform, plus a reference to the identity 
of the manufacturer of TPM. 


REFERENCE 


tpm_distributed_validation 


This SHALL be fields that indicate the security 
qualities of the TPM in the platform. 


CONFORM_UlD 


tpm_pp 


This SHALL be the UID that unambiguously 
identifies the protection profile of the TPM 




tpm st 


ThiQ ^HAI 1 bp the UID that unambiououslv 
identifies the security target of the TPM 


REFERENCE 


p 1 a t f o r m__mo del 


This SHALL be a reference to the type of the 

niatfnrm inrliidinn thp TCG foundations in the 
platform, plus a reference to the identity of the 
manufacturer of that platform. 


RcrtKtiMUt 


P±au.I.O^Ul UX 5 UJ. J.IJU UcU VCIJ.±,U 

ation 


ThiQ ^HAI 1 hp fiplHfi that indicate the securitv 
qualities of the platform. 


UUN rUKM_U 1 U 




ThiQ ^HAt t ho the UID that unambiauouslv 
identifies the protection profile of the TCG 
foundations in the platform. 


CONFORM UID 


foundation st 


This SHALL be the UID that unambiguously 
identifies the security target of the TCG 
foundations in the platfonm. 


REFERENCE 


p-ca_reference 


This SHALL be an unambiguous indication of 
the identity of the (Privacy CA) entity that 
attests to the TPM identity. 


TCG_VERSION 


TCG_VERSION 


This SHALL be the version specified in 
section 4.5. 


SIGNATURE 


signature__value 


This SHALL be the signature over all previous 
fields in TPMJDENT!TY_CREDENT1AL, 
using the private key of the p-ca_reference. 



If the data stmcture TPMJDENTITY_CREDENTIAL is stored on a platform after an Owner has taken 
ownership of that platform, it SHALL exist only in storage to which access is controlled and is available to 
authorized entities. 
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4.33 Command Ordinals 




Ordinals are 32 bit values. The upper byte contains values that serve as flag indicators, the next byte 
contains values indicating what connmittee designated the ordinal, and the final two bytes contain the 
Command Ordinal index. 



3.2 1 
10987654321098765432109876543210 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"+-+-+-+-+-+-+-+-+-+-+ 
, |P|C|V| Reserved I Purview I Command Ordinal Index | 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

Where: 

• P is Protected/Unprotected command. When 0 the command is a Protected conrimand, when 1 
the command Is an Unprotected command. 

• C is Non-Connection/Connection related command. When 0 this command passes through to 
either the protected (TPM) or unprotected (TSS) components. 

• V is TCGA/endor command. When 0 the command is TCG defined, when 1 the command is 
vendor defined. 

• All reserved area bits are set to 0. 



The following masks are created to allow for the quick definition of the commands 



Value 


Event Name 


Comments 


0x00000000 


TCG_PROTECTED_COMMAND 


TPM protected command, specified in main 
specification 


0x80000000 


TCG.UNPROTECTED_COMMAND 


TSS command, specified In the TSS 
specification 


0x40000000 


TCG_CONNECTION_COMMAND 


TSC command, protected connection 
commands are specified in the main 
specification. Unprotected connection 
commands are specified in the TSS. 


0x20000000 


TCG_VENDOR_COMMAND 


Command that is vendor specific for a given 
TPM or TSS. 
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The following Purviews have been defined: 



Value 


Event Name 


Comments 


0x00 


TCG^MAIN 


Command is from the main specification 


0x01 


TCG_PC 


Command is specific to the PC 


0x02 


TCG.PDA 


Command is specific to a PDA 


0x03 


TCG^CELL^PHONE 


Command is specific to a cell phone 



Combinations for the main specification would be 



Value 


Event Name 


TCG_PROTECTED_COMMAND | TCG_MAIN 


TCG_PROTECTED_ORDINAL 


TCG_UNPROTECTED_COMMAND | TCG_MAIN 


TCG_UNPROTECTED_ORDINAL 


TCG_CONNECTION_COMMAND | TCG.MAIN 


TCG_CONNECTI0N_ORDINAL 



If a command is tagged from the audit column the de^ult state is that use of that command SHALL be 
audited. OthenA^ise. the default state is that use of that command SHALL NOT be audited. 





TCG_PROTECTED_ORDINAL 
+ 


Audit 


TPM ORD OIAP 


10 




TPM ORD OSAP 


11 




TPM ORD ChangeAuth 


12 




TPM ORD TakeOwnership 


13 


X 


TPM ORD ChangeAuthAsymStart 


14 




TPM ORD ChangeAuthAsymFinish 


15 




TPM ORD ChangeAuthOwner 


16 


X 








TPM ORD Extend 


20 




TPM ORD PcrRead 


21 




TPM ORD Quote 


22 




TPM ORD Seal 


23 


X 


TPM ORD Unseal 


24 




TPM ORD DirWriteAuth 


25 


X 


TPM ORD DirRead 


26 










TPM ORD UnBind 


30 




TPM ORD CreateWrapKey 


31 


X 


TPM ORD LoadKey 


32 




TPM ORD GetPubKey 


33 




TPM ORD EvictKey 


34 










TPM ORD CreateMigrationBlob 


40 


X 




41 




TPM ORD ConvertMigrationBlob 


42 


X 


TPM ORD AuthorizeMigrationKey 


43 


X 


TPM ORD CreateMaintenanceArchive 


44 


X 


TPM ORD LoadMaintenanceArchive 


45 


X 


TPM ORD KillMaintenanceFeature 


46 


X 


TPM ORD LoadManuMaintPub 


47 


X 
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TPM ORD ReadManuMaintPub 


A O 










TPM ORD CertifyKey 


ou 










TPM ORD Sign 


ou 










TPM ORD GetRandom 


1 U 




TPM ORD StirRandom 












TPM ORD SelfTestFull 


o U 






o J. 




TPM ORD Certif ySelfTest 







TPM ORD ContinueSelfTest 


Q 




TPM ORD GetTestResult 


O A 

of* 










TPM ORD Reset 


Q n 




TPM ORD OwnerCIear 


Q 1 




TPM ORD DisableOwnerClear 




X 


TPM ORD ForceClear 


y o 


X. 


TPM ORD DisableForceClear 




X 








TPM ORD GetCapabilitySigned 


lOU 




TPM ORD GetCapability 


101 




TPM ORD GetCapabilityOwner 


10^ 










TPM ORD OwnerSetDisable 


1 1 U 


X 


TPM ORD PhysicalEnable 


111 


X 


TPM ORD PhysicalDisable 


112 


X 


TPM ORD SetOwnerlnstall 


11 J 


X 


TPM ORD PhysicalSetDeactivated 


114 


X 


TPM ORD SetTempDeactivated 


lie 

llo 


X 








TPM ORD CreateEndorsementKeyPair 


ion 


X 


TPM ORD Makeldentity 




X 


TPM ORD Activateldentity 


TOO 


X 


TPM ORD ReadPubek 


T O /I 

1 z ^ 


X 


TPM ORD Owner ReadPubek 




X 


TPM ORD DisablePubekRead 


l^D 


X 








TPM ORD GetAuditEvent 


i JU 


X 


TPM ORD GetAuditEvent Signed 


T O 1 


X 








TPM ORD GetOrdinalAuditStatus 


1 4U 




1 irW ^JI\L/ O 6 tWi UX Ilo. Xrt U (J J. U o i_a u Li o 


141 


X 








TPM ORD Terminate Handle 


150 




TPM ORD Init 


151 




TPM ORD SaveState 


152 




TPM ORD Startup 


153 




TPM ORD SetRedirection 


154 


X 








TPM ORD SHAlStart 


160 




TPM ORD SHAlUpdate 


161 




TPM ORD SHAlComplete 


162 
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TPM ORD SHAlCompleteExtend 


163 










TPM ORD FieldUpgrade 


170 










TPM ORD SaveKeyContext 


180 




TPM ORD LoadKeyContext 


181 




TPM ORD SaveAuthContext 


182 




TPM ORD LoadAuthContext 


183 





The connection commands manage the TPM's connection to the TBB. 





TCG CONNECTION ORDINAL + 


TSC ORD PhysicalPresence 


10 
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5. Authorization and Ownership 



5.1 Introduction 




newl^uthoL 



All entity authorizations requiring authorization MUST use the authorization data protocols. 

The TPM MUST support the OI-AP and the OS-AP which enable proof of knowledge of authorization data 
while maintaining the secrecy of that authorization data. 

The TPM MUST support the ADIP that inserts the authorization during entity creation. 
The TPM MUST support the ADCP and AACP which allow for the changing of authorization data. 
The TPM MUST support TPM_Tenminate_Handle which forces the tennination of a session. 
The TPM MAY support additional protocols to authenticate, insert and change authorization data. 
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The TPM MUST support the ability to calculate a HMAC in order to verify authorization data independent 
of the source or transmission mechanism. The TPM MUST calculate th HMAC digest according to 
section 8.6. The TPM MUST NOT perfonm the HMAC calculation for a returning message when the 
authorization for the command fails or the command fails for any other reason. 

If a command has more than one authorization value, each authorization session MUST use the same 
SHA-1 parameter digest (<paramDigest> from Sect. 4.4.2) plus its respective authorization setup 
parameters (nonces, authhandles, etc) in the HMAC calculation. For example, the capability 
9.3.1TPM_Makeldentity requires authorization from both the TPM Owner and from the SRK owner. So 
the authentication information "TpmOwnerAuth" and "Sri<Auth" are each calculated over all parameters 
tagged with an *S' subscript in the definition of TPM_Makeldentrty. 

All commands that use keys normally include at least one authorization session in the input parameters. If 
AuthDataUsage is set to TPM_AUTH_NEVER for that key, then the command does not need to be 
authorized. To implement this, the 5 authorization parameters at the end of the input parameter list should 
be removed and the tag value (first parameter) changed from TPM_TAG_RQU_AUTH1_COMMAND to 
TPM_TAG_RQU_COMMAND. 

When an incoming command includes an authorization session but the authorized key has 
AuthDataUsage set to NEVER the TPM MUST perfomri the following: 

• If the value of the command tag is TPM_TAG_RQU_AUTH1_COMMAND the TPM will compute 
the authorization based on the value store in the authorization location within the key. IGNORING 
the state of the AuthDataUsage flag. 

• Users may choose to use a well-known value for the authorization data when setting 
AuthDataUsage to NEVER. 

For commands that normally have 2 authorization sessions, if the tag specifies only one in the parameter 
array, then the first session listed is ignored (authDataUsage must be NEVER for this key) and the 
incoming session data is used for the second auth session in the list. 
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5.1.1 Tag Usage 

This table summarizes what can be the tag with a given TPM command. 









Tag 








o 


Q 
Z 


o 
z 








s. 








O 
^. 


o 

^. 


o 
o 


Section 


Name 


AUTH2 


AUTH1 


RQU_ 


5.6.1 


TPM_ChangeAuth 


X 






5.6.2 


TP M_ChangeAuth Owner 




X 




5.7.1 


TPM_ChangeAuthAsymStart 




X 


X 


5.7.2 


TPM_ChangeAuthAsymFinish 




X 


X 


5.11.1 


TPM_TakeOwnership 




X 




6.3.3 


TPM_Quote 




X 


X 


6.3.4 


TPM_DirWriteAuth 




X 




7.2.1 


TPM_Seal 




X 




7.2.2 


TPM_Unseal 


X 


X 




7.2.4 


TPM_UnBind 




X 


X 


7.2.5 


TPIV1_CreateWrapKey 




X 




7.2.8 


TPM_LoadKey 




X 


X 


7.2.10 


TPM_GetPubKey 




X 


X 


7.2.11 


TPM_CreateMigrationBIob 


X 


X 


X 


0 


TPM_ConvertMigrationBlob 




X 


X 


7.2.13 


TPM_AuthorizeMigrationKey 




X 




7.3.1 


TPM_CreateMaintenanceArchive 




X 




7.3.2 


TPM_LoadMaintenanceArchive 




X 




7.3.3 


TPM_KillMaintenanceFeature 




X 




8.3.1 


TPM_CertifyKey 


X 


X 


X 


8.7.1 


TPM_Sign 




X 


X 


8.9.2 


TPM_CertiTySeitTest 




X 


X 


0 


TPM_OwnerClear 




X 




8.10.6 


TPM_DisabIeOwnerClear 




X 




8.11.2 


TPM_GetCapabilitySlgned 




X 


X 


8.11.3 


TPM_GetCapabilityOwner 




X 




8.12.2 


TPM_GetAuditEventSigned 




X 


X 


8.12.3 


TPI\/I.SetOrdinalAudttStatus 




X 




8.14.1 


TPM_OwnerSetDisable 




X 




8.17 


TPM_SetRedirection 




X 


X 


9.2.3 


TPM_DisablePubel<Read 




X 




9.2.4 


TPM_OwnerRead Pubel< 




X 




9.3.1 


TPM_Makeldentity 


X 


X 




9.3.4 


TPM_Activateldentlty 


X 


X 
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5.2 Authorization protoc Is 







arit;ovemthfjnepworK?4^1 







»ntity*that require^ aathonzationahe^-Q^^ARg^ 




^ad^^of the'? _ 

occurs irf,twc^ways^?^Erther%iclBiCan/equeL 



ionzation^daj 









ilsjioSfSlf^' 
ew^nonce^value 
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5.2.1 Oi-AP descripti n 
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5.2.2 TPM.OIAP 
Type 

TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG.RQU.COMMAND 


2 


4 






UINT32 


paramSize 


Tola! number of Input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM.ORD.OIAP. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_COMI^D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






TCG.AUTHHANDLE 


authl-landle 


Handle that TPM creates that points to the authorization state. 


5 


20 






TCG_NONCE 


nonceEven 


Nonce generated by TPM and associated with session. 



Actions 

1. The TPM_OIAP command allows the creation of an authorization handle and the tracking of the 
handle by the TPM. The TPM generates the handle and nonce. 

2. The TPM has an internal limit as to the number of handles that may be open at one time, so the 
request for a new handle may fail if there is insufficient space available. 

3. Intemally the TPM will do the following: 

a) TPM allocates space to save handle, protocol identification, both nonces and any other 
information the TPM needs to manage the session. 

b) TPM generates authHandle and nonceEven, returns these to caller 

4. On each subsequent use of the OIAP session the TPM MUST generate a new nonceEven value. 
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5.2.3 Auth rlzati n using an OI-AP sessi n 

mmmmmMW^ 




Actions 

perform the following actions: 

1 The TPM MUST verify that the authorization handle (H, say) referenced In the comm^^^^^^ to 
a valid session. If it does not. the TPM returns the error code TCG JNVALID_AUTHHANDLE 

2 The TPM SHALL retrieve the latest version of the caller's nonce (nonceOdd) and 
continueAuthSession flag from the input parameter list, and store it in internal TPM memory with 
the authSession 'H'. 

3 The TPM SHALL retrieve the latest version of the TPM's nonce stored with the authorization 
session H (authLastNonceEven) computed during the previously executed command. 

4. The TPM MUST retrieve the secret authorization data (SecretE. say) of the target entity. The 
entity and its secret must have been previously loaded into the TPM. 

5. The TPM SHALL perform a HMAC calculation using the entity secret data, ordinal, input 
command parameters and authorization parameters per section 4.4.2. 

6 The TPM SHALL compare HM to the authorization value received in the input parameters. If they 
are different, the TPM returns the error code TCG^AUTHFAIL if the authorization session is the 
first session of a command, or TCG_AUTH2FAIL if the authorization session is the second 
session of a command. Othenwise. the TPM executes the command which (for this example) 
produces an output that requires authentication. 

7. The TPM SHALL generate a nonce (nonceEven). 

8. The TPM creates an HMAC digest to authenticate the return code, return values and 
authorization parameters to the same entity secret per section 4.4.2 

9. The TPM returns the retum code, output parameters, authorization parameters and authorization 
digest. 

10. If the output continueUse flag is FALSE, then the TPM SHALL temiinate the session. Future 
references to H will retum an error. 
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5.2.5 TPM^OSAP 




Type 

TCG protected capability. 
Incoming Operands and Sizes 



PARAhA 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 




2 


A 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Comrnand ordinal, fixed value of TPM_ORD_OSAP. 


4 


2 






TCG_ENT1TY_TYPE 


entityType 


The type of entity in use 


5 


4 






UINT32 


entityValue 


The selection value based on entityType, e.g. a keyHandle # 


6 


20 






TCG.NONCE 


nonceOddOSAP 


The nonce generated by the caller associated with the shared 
secret. 


Outs 


loing ( 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Oescrfplio/) 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






TCG.AUTHHANDLE 


authHandle 


Handle that TPM creates that points to the authorization state. 


5 


20 






TCG.NONCE 


nonceEven 


Nonce generated by TPM and associated with session. 


6 


20 






TCG.NONCE 


nonceEvenOSAP 


Nonce generated by TPM and associated with shared secret. 



Actions 

1 The TPM_OSAP command allows the creation of an authorization handle and the tracking of the 

handle by the TPM. The TPM generates the handle. nonceEven and nonceEvenOSAP. 
2. The TPM has an internal limit on the number of handles that may be open at one time, so the request 

for a new handle may fail if there is insufficient space available. 
3 The TPM OSAP allows the binding of an authorization to a specific entity. This allows the caller to 

continue to send in authorization data for each command but not have to request the information or 

cache the actual authorization data. 
4. Internally the TPM will do the following: 
a. TPM receives command. 
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b TPM generates new handle and reserves space to save protocol identification, shared 
secret, both nonces and any other information the TPM needs to manage the session. 

c. TPM generates nonces nonceEven and nonceEvenOSAP. 

d The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC 
calculation is the secret authorization data assigned to the key handle identified by 
entityValue. The input to the HMAC calculation is the concatenation of nonces 
nonceEvenOSAP and nonceOddOSAP. The output of the HMAC calculation is the 
shared secret which is saved in the authorization area associated with authHandle 

Descriptions 

entityXype = TCG.ET.KEYHANDLE 

The entity to authorize is a key held in the TPM. entityValue contains the keyHandle that holds the key. 
entityJype = TCG_ET_OWNER 

This value indicates that the entity is the TPM owner. entityValue is ignored. 
entityType = TCG_ET_SRK 

The entity to authorize is the SRK. entityValue is ignored. 
Usage 

On each subsequent use of the OSAP session the TPM MUST generate a new nonce value. 

The TPM MUST ensure that OS-AP shared secret is only available while the OS-AP session is valid. 

Termination 

The session MUST terminate upon any of the following conditions: 

• The entity is unloaded. 

• The entity has a change authorization performed on it. 

• The session is used in a TPM_ChangeAuth command. 

• The command that uses the session returns an enror. 
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5.2.6 Authorization using an OS-AP session 




Actions 

On reception of a command with ordinal C1 that uses an authorization session, the TPM SHALL perform 
the following actions: 

1 The TPM MUST have been able to retrieve the shared secret (Shared, say) of the target entity when 
' the authorization session was established with TPM^OSAP. The entity and its secret must have been 

previously loaded into the TPM. 

2 The TPM MUST verify that the authorization handle (H, say) referenced in the command points to a 
valid session. If it does not, the TPM retums the error code TCG_INVALID^AUTHHANDLE. 

3. The TPM MUST calculate the HMAC (HM1. say) of the command parameters according to section 
4.4.2 

4 The TPM SHALL compare HM1 to the authorization value received in the command. If they are 
' different, the TPM returns the error code TCG.AUTHFAIL If the authorization session is the first 
session of a command, or TCG^AUTH2FAIL if the authorization session is the second session of a 
command., the TPM executes command C1 which produces an output (O. say) that requires 
authentication and uses a particular return code (RC. say). 

5. The TPM SHALL generate the latest version of the even nonce (nonceEven). 

6. The TPM MUST calculate the HMAC (HM2) of the return parameters according to section 4.4.2 

7. The TPM returns HM2 in the parameter list. 

8 The TPM SHALL retrieve the continue flag from the received command. If the flag is FALSE, the TPM 

SHALL terminate the session and destroy the thread associated with handle H. 
If the shared secret was used to provide confidentiality for data in the received command, the TPM 
SHALL terminate the session and destroy the thread associated with handle H. 

Each time that access to an entity (key) is authorized using OSAP. the TPM MUST ensure that the OSAP 
shared secret is that derived from the entity using TPM_OSAP. 
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5.3 TPM_Terminate_Handle 




Type 

TCG protected capability. 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


U 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG^RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Terminate_Handle. 


4 


4 






TCG_AUTHHANDLE 


handle 


The handle to terminate 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


n 


SZ 


1 


2 






TCG^TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Descriptions 

A TPM SHALL unilaterally perfomi the actions of TPM.Terminate^Handle upon detection of the following 
events: 

• Completion of a received command whose authorization "continueUse" flag is FALSE. 

. Completion of a received command when a shared secret derived from the authorization session 
was exclusive-or'ed with data (to provide confidentiality for that data). This occurs dunng 
execution of a TPM_ChangeAuth command, for example. 

• When the associated entity is destroyed (in the case of TPM Owner or SRK. for example) 

• Upon execution of TPMJnit 

• When the command returns an error. This is due to the fact that when returning an error the TPM 
does not send back nonceEven. There is no way to maintain the rolling nonces, hence the TPM 
MUST tenminate the authorization session. 

• Failure of an authorization check belonging to that authorization session. 
Actions 

The TPM SHALL terminate the session and destroy all data associated with the session indicated. 
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5.4 ADIP - Creating a New Entity 




PJsesf6fe\f6lTo^^^^ 
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The TPM MUST enable ADIP by using the OS-AP. The TPM MUST encrypt the authorization data for the 
new entity by performing an XOR using the shared secret created by the OS-AP. 
The TPM MUST destroy the OS-AP session whenever a new entity is created. 
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5,5 ADCP - Changing Authorization Data 




Changing authorization data for the TPM SHALL require authorization of the cun-ent TPM Owner. 

Changing authorization data for the SRK SHALL require authorization of the TPM Owner. 

If SRKAuth is a well known value. TPM.ChangeAuth SHOULD NOT be used to change the authorisation 

value of a child of the SRK. including the TPM identities. 

All other entities SHALL require authorization of the parent entity. 
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5.6 Changing authorization valu s 




5.6.1 TPM_ChangeAuth 




Type 

TCG protected capability; user must provide authorizations for the entity pointed to by parentHandle and 
inData. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


sz 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RQU_AUTH2_COMh4AND 


2 


4 






UINT32 


paramSIze 


Total number of input bytes Including paramSize and 
tag 


3 


4 


1s 


4 


TCG_COMMAND_C0DE 


ordinal 


Command ordinal, fixed at TPM_ORD_ChangeAuth 


4 


4 






TCG_KEY_HANDLE 


parentHandle 


Handle of the parent key to the entity. 


5 


2 


2s 


2 


TCG.PROTOCOLJD 


protocollD 


The protocol in use. 


6 


20 


3s 


20 


TCG.ENCAUTH 


newAuth 


The encrypted new authorization data for the entity. 
The encryption key is the shared secret from the OS- 
AP protocol. 


7 


2 


4s 


2 


TCG^ENTITY.TYPE 


entityType 


The type of entity to be modified 


8 


4 


5s 


4 


UINT32 


encDataSize 


The size of the encData parameter 


9 


<> 


6s 


<> 


BYTE[1 


encData 


The encrypted entity that is to be modified. 


10 


4 






TCG.AUTHHANDLE 


parentAuthHandle 


The authorization handle used for the parent key. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


11 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with 
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parentAuthHandle 


12 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Ignored, parentAuthHandle is always terminated. 


13 


20 






TCG_AUTHDATA 


parentAuth 


The authorization digest for inputs and parentHandle. 
HMAC key: parentKey.usageAuth. 


14 


4 






TCG.AUTHHANDLE 


entltyAuthHandle 


The session type MUST be OIAP 




\ 


2h2 


20 


TCG^NONCE 


entitylastNonceEven 


Even nonce previously generated by TPM 


15 


20 


3H2 


20 


TCG.NONCE 


entitynonceOdd 


Nonce generated by system associated with 
entityAuthHandle 


16 


1 


4h2 


1 


BOOL 


continueEntitySession 


Ignored, entityAuthHandle is always terminated. 


17 


20 






TCG.AUTHDATA 


entityAuth 


The authorization digest for the inputs and encrypted 
entity. HMAC Iwy: entity.usageAuth. 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_ChangeAuth 


4 


4 


3s 


4 


UiNT32 


outDataSize 


The used size of the output area for outData 


5 


<> 


4s 


o 


BYTE[1 


outData 


The modified, encrypted entity. 


6 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with 
parentAuthHandle 


7 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


8 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters and 
parentHandle. HMAC key: parentKey.usageAuth. 


9 


20 


2H2 


20 


TCG_NONCE 


entityNonceEven 


Even nonce newly generated by TPM to cover entity 






3h2 


20 


TCG.NONCE 


entitynonceOdd 


Nonce generated by system associated with 
entityAuthHandle 


10 


1 


4h2 


1 


BOOL 


entityContinueAuthS 
ession 


Continue use flag, fixed value of FALSE 


11 


20 






TCG^AUTHDATA 


entityAuth 


The authorization digest for the returned parameters and 
entity. HMAC key: newly changed entity.usageAuth. 



Descriptions 

A TPM MUST support the TPM_P!D_ADCP protocol. 

TPM_PID_ADCP protocol descriptions 

The parentAuthHandle session type MUST be TCG^PID.OSAP. 
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TPM_PID_ADCP pr t c I acti ns 

1. Verify that entltyType is one of TCG_ET_DATA, TCG.ET_KEY and return the error 
TCG_WRONG_ENTITYTYPE if not. 

2. The encData field MUST be the encData field from either the TCG.STORED^DATA or TCG.KEY 
structures. 

3. Create s1 string by concatenating (parentAuthHandle -> shared secret || authLastNonceEven) 

4. Create x1 by perfonning a SHA1 hash of si 

5. Create decryptAuth by XOR of x1 and newAuth. 

6. parentAuthHandle MUST be built using the parent entity's authorization data. 

7. The TPM MUST validate the command using the authorization data in the parentAuth parameter. The 
parentRef parameter provides the identification of the parent. 

8. After parameter validation the TPM creates b1 by decrypting inData using the key pointed to by 
parentHandle. 

9 The TPM MUST validate that b1 is a valid TCG structure by verifying that the command has been 
authorized to use the blob. This checks that 20B of the decrypted blob have the proper value, and 
provides statistical proof that the blob was coaectly decrypted. 

10. The TPM replaces the authorization data for b1 with decryptAuth created above. 

11. The TPM encrypts b1 using the appropriate mechanism for the type using the parentKeyHandle to 
provide the key information. 

12. The new blob is retumed in outData when appropriate. 

13. The TPM MUST enforce the destmction of both the parentAuthHandle and entityAuthHandle 
sessions. 
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5.6.2 TPM_ChangeAuthOwn r 




Type 

TCG protected capability; user must provide authorizations from the TPM Owner 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descriptton 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSIze and tag 


3 


4 


Is 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ChangeAuthOwner 


4 


2 


2s 


2 


TCG.PROTOCOLJD 


protocoltD 


The protocol in use. 


5 


20 


3s 


20 


TCG.ENCAUTH 


newAuth 


The encrypted new authorization data for the entity. The 
encryption key is the shared secret from the OS-AP 
protocol. 


6 


2 


4s 


2 


TCG.ENTITY.TYPE 


entityType 


The type of entity to be modified 


7 


4 






TCG.AUTHHANDLE 


ownerAuthHandle 


The authorization handle used for the TPM Owner. 






2 HI 


20 


TCG_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with 
ownerAuthHandle 


9 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag the TPM ignores this value 


10 


20 






TCG.AUTHDATA 


ownerAuth 


The authorization digest for inputs and ownerHandle. 
HMAC key: tpmOwnerAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Des(^pUwi 


# 


S2 


n 


SZ 






1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal TPM_ORD_ChangeAuthOwner 


4 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with 
ownerAuthHandle 


5 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


6 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters and 
ownerHandle. HMAC key: tpmOwnerAuth. This is the new 
tpmOwnerAuth value if this command changed that value. 



Descriptions 

A TPM MUST support the TPM_PID_ADCP protocol. 

In this capability, the SRK cannot be accessed as entityType TCG.ET.KEY. since the SRK is not 
wrapped by a parent key. 
TPM_PID_ADCP protocol descriptions 

The ownerAuthHandle session type MUST be TCG_PID_OSAP. 
TPM_PID_ADCP protocol actions 

1. Verify that entityType is either TCG.ET.OWNER or TCG.ET.SRK. and return the error 
TCG_WRONG_ENTITYTYPE if not. 

2. The ownerAuthHandle -> entityType MUST be TCG_ET_OWNER. 

3. Create s1 string by concatenating (ownerAuthHandle -> shared secret || authLastNonceEven) 

4. Create x1 by perfonrning a SHA1 hash of s1 

5. Create decryptAuth by XOR of x1 and newAuth. 

6 The TPM MUST enforce the destruction of the ownerAuthHandle session upon completion of this 
command (successful or unsuccessful). This includes setting continueAuthSession to FALSE 

7. Set the authorization data for the indicated entity to decryptAuth 
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5.7 Asymmetric Authorization Change Protocol 




Changing authorization data for the SRK SHALL involve authorization by the TPM Owner. 
If SRKAuth is a well known value, 

TPM^ChangeAuthAsymStart and TPI\4_ChangeAuthAsymFinish SHOULD be used to change the 
authorisation value of a child of the SRK. including the TPM identities. 
Ail other entities SHALL involve authorization of the parent entity. 
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5.7.1 TPM_ChangeAuthAsymStart 




Type 

TCG protected capability; user must provide authorization for the Identity In IdHandle. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


n 


sz 


n 


sz 


1 


2 






TCG^TAG 


tag 




2 


4 






UINT32 


paramSize 


Total numt>er of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command onJinal: TPM_ORD_ChangeAuthAsymStart 


4 


4 






TCG_KEY_HANDLE 


idHandle 


The keyHandle identifier of a loaded identity ID key 


5 


20 


2s 


20 


TCG.NGNCE 


antiReplay 


The nonce to be inserted into the certifylnfo structure 


6 


<> 


3s 


<> 


TCG.KEY^PARMS 


tempKey 


Structure contains all parameters of ephemeral key. 


7 


4 






TCG.AUTHHANDLE 


authHandle 


The authorization handle used for idHandle authorization. 






2 HI 


20 


TCG^NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3 H1 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


10 


20 






TCG.AUTHDATA 


idAuth 


The authorization digest for inputs and idHandle. HMAC 
key: idKey.usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descrif^on 


# 


SZ 


U 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 




rphirnCnrip 


The return code of the operation. See section 4.3. 






2s 


4 


Trf3 rnuMAND code 


nrdtnai 


Command ordinal: TPM_ORD_ChangeAuthAsymStart 


7 


95 


3s 


95 


Trn PFRTIFY INFO 


certifylnfo 


The certifylnfo structure that is to be signed. 


8 


4 


4s 


4 


UINT32 


sigSize 


The used size of the output area for the signature 


9 


<> 


5s 


<> 


BYTE[] 


sig 


The signature of the certifylnfo parameter. 


10 


4 


6s 


4 


TCG_KEY_HANDLc 


ephHandfe 


The keyHandle identifier to be used by 
ChangeAuthAsymFlnish for the ephemeral key 


11 


<> 


7s 


<> 


TCG_KEY 


tsmpKey 


Stnicture containing all parameters and public part of 
ephemeral key. TCG_KEY.encSize is set to 0. 


12 


20 


2hi 


20 


TCG.NGNCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system assodated with authHandle 


13 


1 


4 HI 


1 


BOOL 


continueAuthSessi 
on 


Continue use flag, TRUE if handle is still active 


14 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: idKey.usageAuth. 



Actions 

1. The TPM SHALL verify the authorization to use the TPM identity key held in idHandle. The TPM 
MUST verify that the key is a TPM identity key. 

2. The TPM SHALL validate the algorithm parameters for the key to create from the tempKey 
parameter. 

a. Recommended key type is RSA 

b. Minimum RSA key size MUST is 51 2 bits, recommended RSA key size is 1 024 

c. For other key types the minimum key size strength MUST be comparable to RSA 512 

d. If the TPM is not designed to create a key of the requested type, retum the enror code 
TCG_BAD_KEY_PROPERTY 

3. The TPM SHALL create a new key (k1) in accordance with the algorithm parameter. The newly 
created key is pointed to by ephhandle. 

4. The TPM SHALL fill in all fields in tempKey using k1 for the infonmation. The TCG_KEY -> encSize 
MUST be 0. 

5. The TPM SHALL fill in certifylnfo using k1 for the information. The certifylnfo -> data field is supplied 
by the antiReplay. 

6. The TPM then signs the certifylnfo parameter using the key pointed to by IdHandle. The resulting 
signed btob is returned in sig parameter 
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Field Descriptions for certifyinf parameter 



Type 


Name 


Description 


TCG_VERSION 


Version 


TCG version structure; section 4.5. 




Redirection 


This SHALL be set to FALSE 


* 


Migratabie 


This SHALL be set to FALSE 




Volatile 


This SHALL be set to TRUE 


TCG AUTH DATA 
USAGE 


authDataUsage 


This SHALL be set to TPM_AUTH_NEVER 


TCG_KEY_USAGE 


KeyUsage 


This SHALL be set to TPM.KEY^AUTHCHANGE 


UINT32 


PCRInfoSize 


This SHALL be set to 0 


TCG_DIGEST 


pubDigest 


This SHALL be the hash of the public key being 
certified. 


TCG_NONCE 


Data 


This SHALL be set to antiReplay 


TCG_KEY_PARMS 


info 


This specifies the type of key and its parameters. 


BOOL 


parentPCRStatus 


This SHALL be set to FALSE. 
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5.7.2 TPM_ChangeAuthAsymFinlsh 




Type 

TCG protected capability: caller must provide authorizations for the entity pointed to by parentRef 



Incoming Operands and Sizes 



PARAfA 


HMAC 


Type 


Name 


Description 


U 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






UINT32 


paramSIze 


Total numt)er of input bytes induding paramSize and tag 


3 


4 


Is 


4 


TCG.COMMAND^CODE 


ordinal 


Command ordinal: TPM.ORD.ChangeAuthAsymFinish 


4 


4 






TCG_KEY_HANDLE 


parentHandle 


The keyHandle of the parent key for the input data 


5 


4 






TCG_KEY,HANDLE 


ephHandle 


The keyHandle identifier for the ephemeral key 


6 


2 


3s 


2 


TCG_ENTn^_TYPE 


entityType 


The type of entity to be modified 


7 


20 


4s 


20 


TCG.HMAC 


newAuthLink 


HMAC calculation that links the old and new authorization 
values together 


8 


4 


5s 


4 




newAuthSize 


Size of encNewAuth 


9 


<> 


6s 


<> 


BYTE[1 


encNewAuth 


New authorization data encrypted with ephemeral key. 


10 


4 


7s 


4 


UINT32 


encDataSize 


The size of the inData parameter 


11 


<> 


8s 


<> 


BYTE[] 


encData 


The encrypted entity that is to l)e modified. 


12 


4 






TCG.AUTHHANDLE 


authHandle 








2 HI 


20 


TCG_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


13 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


14 


1 


4 HI 


1 


BOOL 


contlnueAuthSession 


The continue use flag for the authorization handle 


15 


20 






TCG.AUTHDATA 


privAuth 


The authorization digest for inputs and parentHandle. 
HMAC key: parentKey.usageAuth. 
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PARAM 


HMAC 


Type 


Name 


Uoscnpwjn 


# 




# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSIze and tag 


3 


4 


1s 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG.COMMAND.CODE 


ordinal 


"^mmand ordinal: TPM_ORD_ChangeAuthAsymFinish 


4 


4 


3s 


4 


UINT32 


outDataSIze 


The used size of the output area for outData 


5 


<> 


4s 


<> 


BYTEU 


outData 


The modified, encrypted entity. 


6 


20 


5s 


20 


TCG.NONCE 


saltNonce 


A nonce value from the TPM RNG to add entropy to the 
changeProof value 


7 


<> 


6s 


<> 


TCG.DIGEST 


changeProof 


Proof that authorization data has changed. 


8 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


10 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: parentKey.usageAuth. 



Description 

If the parentHandle points to the SRK then the HMAC key MUST be built using the TPM Owner 

authorization. 

Actions 

1 . The TPM SHALL validate that the authHandle parameter authorizes use of the key in parentHandle. 
The encData field MUST be the encData field from TCG_STORED_DATA orTCG.KEY. 
The TPM SHALL create e1 by decrypting the entity held in the encData parameter. 



The TPM SHALL cteate a1 by decrypting encNewAuth "^'"S tlie auy Handle -> 
TPM_KEY_AUTHCHANGE private key. a1 is a structure of type TCG_CHANGEAUTH_VALIDATE. 
5 The TPM SHALL create b1 by performing the following HMAC calculation: b1 = HMAC (a1 -> 
■ newAuthSecret). The secret for this calculation is encData -> cun-entAuth. This means that b1 is a 
value built from the current authorization value (encData -> currentAuth) and the new authonzation 
value (a1 -> newAuthSecret). 

6. The TPM SHALL compare b1 with newAuthLink. The TPM SHALL indicate a failure if the values do 
not match. 

7. The TPM SHALL replace e1 -> authData with a1 -> newAuthSecret 

8. The TPM SHALL encrypt e1 using the appropriate functions for the entity type. The key to encrypt 
with Is parentHandle. 

9. The TPM SHALL create saltNonce by taking the next 20 bytes from the TPM RNG. 

10. The TPM SHALL create changeProof a HMAC of (saltNonce concatenated with a1 -> n1) using a1 -> 
newAuthSecret as the HMAC secret. 

11. The TPM MUST destroy the TPM_KEY_AUTHCHANGE key associated with the authorization 
session. 
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5-8 Auth rization Data 




The TPM MUST reserve 160 bits for the authorization data. The TPM treats the authorization data as a 
blob. The TPM MUST keep the authorization data in a shielded location. 

The TPM MUST enforce that the only usage in the TPM of the authorization data is to perform 
authorizations. 



Versi nl.la 1 Set mb r2001 



TCG Main Specification 



Page 131 



5.9 Nonces 




The requestor SHOULD provide a unique value in the odd nonce field of the authorization structure for 
each request. The TPM MAY enforce the uniqueness of values from the requestor. 
The TPM MUST supply a new nonce value for each reply. The nonce value MUST come from the intenrial 
RNG. The TPM MUST enforce the validity of the retuming nonce another command uses the 
authorization session. 
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5.10 Authorization Handle 




The TPM MUST support authorization handles. The TPM MUST support a minimum of two concun-ent 
authorization handles. 

The TPM MUST support authorization-handle temnination. The termination includes secure deletion of all 
authorization session infomriation. 
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5-11 TPM Ownership 




The TPM MUST ship with no Owner installed. The TPM MUST use the ownership-control protocol. 
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5.11.1 TPM.TakeOwnership 
Type 

TCG protected capability; user must encrypt the values using the PUBEK. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Netne 


Description 


n 


SZ 


# 


SZ 


<* 


£ 








tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes Including paramSize and 
tag 


3 


4 


1s 


4 


1 UV9_wUIVllVi/VTll^_,V/wU*t 


oitlinal 


Command ordinal: TPM.ORD.TakeOwnership 


4 


2 


2s 


2 


TCG.PROTOCOLJD 


protocolID 


The ownership protocol in use. 


5 


4 


3s 


4 


UINT32 


encOwnerAuthSize 


The size of the encOwnerAuth field 


6 


<> 


4s 


<> 


BYTE[] 


encOwnerAuth 


The owner authorization data encrypted with PUBEK 


7 


4 


5s 


4 


UINT32 


encSrkAuthSize 


The size of the encSrkAuth field 


8 


256 


6s 


256 


BYTE[) 


encSrkAuth 


The SRK authorization data encrypted with PUBEK 


9 


<> 


7s 


<> 


TCG.KEY 


srkParams 


Stojcture containing all parameters of new SRK, 
pubKey.keyLength & encSize are both 0 


10 


4 






TCGjMJTHHANDLE 


authHandle 








2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


11 


20 


3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


12 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


13 


20 






TCG^AUTHDATA 


ownerAuth 


Authorization digest for input params. HMAC key: the 
new ownerAuth value. See actions for validation 
operations 


Out( 


}oing C 


)perand 


6 and S 


izes 


PARAM 


HMAC 


Type 


Name 


Descriptbn 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM.ORD_TakeOwnership 


4 


<> 


3s 


<> 


TCG_KEY 


srkPub 


Stnicture containing all parameters of new SRK. 
sri(Pub.encData is set to 0. 


5 


20 


2hi 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 
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6 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
Hfk/IAC key: the new ownerAuth value 



Actions 

The new owner MUST encrypt the Owner authorization data and the SRK authorization data using the 
PUBEK The Indoreement key pair MUST be an RSA key so the encryption algorithm .n use to encrypt 
these secrets is RSA. 

If the TPM has a current owner then the TPM upon receipt of this command SHALL return the error code 
TCG_OWNER_SET. 

If the TPM has no current owner then the TPM upon receipt of this command SHALL: 

I . If no EK is present the TPM MUST return TCG_NO_ENDORSEMENT 

2 If TCG_PERSISTENT_FLAGS -> ownership Is FALSE, the TPM SHALL abandon the process of 
granting ownership and return the error TCG JNSTALL_DISABLED 

3. Verify that the authorization session is of type OI-AP. 

4. Decrypt EncOwnerAuth using the PRIVEK to generate ProspectiveOwnerAuth. 

5. Use the TCG authorization protocol to verify that alt input parameters tagged with AUTH have been 
sent by an entity that knows ProspectiveOwnerAuth. 

6. Store ProspectiveOwnerAuth as the Owner's authorization data. 

7. If the TPM is not designed to create a key of the requested type, retum the error code 
TCG_BAD_KEY_PROPERTY 

8. Generate a new SRK in accordance with the algorithm parameter. In version 1 of the specification, 
algorithm MUST indicate a 2048 bit RSA key. 

9. Verify that srkParams.>keyUsage is TPM^KEY.STORAGE. If it is not return 
TCG_I N VALID_KEYU SAGE . 

10 Verify that sricParams->keyFlags->migratable is FALSE. If it is not. retum 
TCG.INVALID_KEYUSAGE 

II. Decrypt EncSri^uth using the PRIVEK and store the result as the SRK's authorization data. 

12 Obtain a TCG NONCE from the TPM's Random Number Generator and store it as 
' TCG.PERSISTENT.DATA -> tpmProof. tpmProof SHALL be stored in TCG shielded locations, only. 

13. Retum the public part of the SRK to the caller. 

14. Calculate an authenticated response using the new authorization data 
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6.1 Introduction 
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6.2 Platf rm Configuration Registers 

6.2.1 Format and Properties 

A Platfonn Configuration Register (PGR) consists of a 160-bit field that holds ^ .^^^«r!!L"''pCRs 
hash value and a 4-byte status field. The PGR data structure MUST be a TCG-shielded location. PGRs 
SHOULD be in volatile storage. The PCRs MUST be set to 0 before first use. This specification does not 
mandate the internal storage format. 

ATPM implementation MUST provide 16 or more independent PCRs. These PCRs are identified by index 
and MUST b^numbered from 0 (that is. PCRo through PCR.s are required for TCG compliance). Vendor 
MAY implement more registers for general-purpose use. Extra registers MUST be numbered contiguously 
from 1 6 up to max - 1 , where max is the maximum offered by the TPM. 

The TCG-protected capabilities that expose and modify the PCRs use a 32-bit index, indicating the 
maximum usable PCR index. How/ever. TCG reserves register indices 2=» and higher for later versions of 
the specification. A TPM implementation MUST NOT provide registers with indices greater than or equal 
to 2*. In this specification, the following terminotagy is used (although this internal fonnat is not 
mandated). 

A TCG measurement agent MAY discard a duplicate event instead of incorporating it in a PCR. provided 
that: 

1. a relevant TCG platform specification explicitly pemriits duplicates of this type of event to be 
discarded 

2. the PCR already incorporates at least one event of this type 

3 an event of this type previously incorporated into the PCR included a statement that duplicate 
such events may be discarded. This option could be used where frequent recording of sleep 
states will adversely affect the lifetime of a TPM. for example. 

6.2.2 Initialization 

PCRs and the protected capabilities that operate upon them MAY NOT be used until power-on self-test 
(TPM POST) has completed. If TPM POST fails, the TPM_Extend operation will fail; and. of greater 
mportance. the TPM Quote operation and TPM_Seal operations that r^pecUvely report and examine 
the PCR eContents MUST fail. At the successful completion of TPM POST, all PCRs MUST be set to 0. 
Additionally, the UINT32 flags MUST be set to zero. 

6.2.3 Authorized PCRs 

A TPM MUST provide one Data Integrity Register (DIR). Implementations MAY provide nriore. These 
registers MUST hold 160-bit values and MUST be held in TCG-shielded locations Further hese 
registers MUST be non-volatile (values are maintained during the power-off state). A TPM implementation 
need not provide the same number of DIRs as PCRs. 
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6.3 Operations Supp rtlng Integrity Coll ction and Reporting 

6.3.1 TPM^Extend 
Type 



TCG protected capability. 
Incoming Operands and Sizes 





HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM^TAG.RQU^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG^COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM.ORD^Extend. 


4 


4 






TCG.PCR1NDEX 


pcrNum 


The PGR to be updated. 


5 


20 






TCG.DIGEST 


InDigest 


The 1 60 bit value representing the event to be recorded. 


Outs 


loing ( 


Dperar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG.RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG^RESULT 


retumCode 


The retum code of the operation. See section 4.3. 


4 


20 






TCG.PCRVALUE 


outDigest 


The PGR value after execution of the command. 



Descriptions 

TPM_Extend, TPM_SHA1CompleteExtend and TPIVI_Startup SHALL be the only commands that alter the 
value of any PCRs. 

When TCG_PERSISTENT_FLAG -> disable is TRUE. TPM_Extend SHALL update the target PGR but 
retum zero instead of the new value of the PGR. 

Actions 

1. Create c1 by concatenating (PCRmdex TCG.PCRVALUE || inDigest). This takes the current PGR 
value and concatenates the inDigest parameter. 

2. Create h1 by performing a SHA1 digest of c1 . 

3. Store h1 as the new TCG.PCRVALUE of PCRindex 

4. If TCG_PERSISTENT_FLAG -> disable Is TRUE 

a. Set outDigest to 20 bytes of 0x00 

5. Else 

a. Set outDigest to h1 
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6.3.2 TPM_PcrRead 




Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG^C0MI\4AND_C0DE 


ordinal 


Command ordinal, fixed value of TPM.ORD_PcrRead. 


4 


4 






TCG.PCRINDEX 


pcrlndex 


Index of the PGR to be read 


Outs 


oingC 


Dperar 


Ids and Sizes 


PARAM 


HMAC 


Type 


Name 


Descriptton 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM.TAG.RSP^COMMAND 


2 


4 






UINT32 


paramSIze 


Total number of output bytes Including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The retum code of the operation. See section 4.3. 


4 


20 






TCG.PCRVALUE 


outOigest 


The current contents of the named PGR 



Actions 

The TPM_PcrRead operation returns the current contents of the named register to the caller. 
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6.3.3 TPM_Qu te 




T^G protected c^p^bility; user must provide authonzatior, to use the key .ndicated by the key1 
parameter. 

Incoming Operands and Sbes 



PARAM 



HMAC 



1s 



SZ 



Type 



TCG_TAG 
UINT32 
TCG_COMMAND_CODE 

TCG_KEY^HANDLE 



Name 

tag 
paramSize 
ordinal 

keyHandle 



Deschptton 

TPM,TAGJQU.AU TH1,C0MMAND' 

Total number of input bytes includin g paramSize and tag 
Command ordinal, fixed value of TPM^ORD,Quote." 
The keyHandle identifier of a loaded Icey that can sign tne 
PGR values. 



2s 20 



TCG_NONCE 



extmalData 



160 bits of externally supplied data (typically a nonce 
provided by a server to prevent replay-attacks) 




Outgoing Operands and Sizes 



PARAM 



HMAC 



# 



SZ 



Type 

TCG^AG 



U1NT32 



Name 



paramSize 
retumCode 



Description 
TPM_TAG^RSP„AUT1 ..COMMAND 



Total number of output bytes including paramSize and tag 



Is 

IT 



TCG.RESULT 



TCG.COMMAND.CODE 



ordinal 



The return code of the operation. See section 4.3. 
Command ordinal, fixed value of TPM.ORD.Quote, 
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4 


<> 


3s 


<> 


TCG_PCR_COMPOSITE 


pcrData 


A structure containing the same indices as targetPCR, 
plus ttie corresponding current PGR values. 


5 


4 


4s 


4 


UINT32 


sigSize 


The used size of the output area for the signature 


6 


<> 


5s 


<> 


BYTE[1 


sig 


The signed data blob. 


7 


20 


2hi 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag. TRUE if handle is still active 


9 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: Key -> usageAuth. 



Actions 

The TPM MUST validate the authorization to use the key pointed to by keyHandle. 
The TPM MUST check that the targetPCR parameter is a consistent TCG_PCR_SELECTION structure 
and that the targetPCR.pcrSelect parameter Is non-zero. If targetPCR Is .ncorrect or targetPCR.pcrSelect 
is zero, the TPM MUST retum the en-or code TCGJNVALID_PCR_INFO. 

If targetPCR is valid and the tergetPCR.pcrSelect parameter value is non-zero, the TPM_Quote 
operation SIHALL: 

1. Assemble a TCG PCR_COMPOSITE data structure in a TPM-shielded Jjlf 
Indices in the TCG~PCR_COMPOSITE structure SHALL be the same as those in the targetPCR 
parameter. This TCG_PCR_COMPOSITE data stmcture SHALL be returned by the call. 

2. Create a TCG_COMPOSITE_HASH structure as described in section 10.4.5. using the 
TCG_PCR_COMPOSITE structure as an Input. 

3. Incorporate the TCG_COMPOSITE_HASH. information about the type °Peration 
(TPmIqUOTE). version infonnation. and the ExtemalData parameter into a TCG_QUOTE_INFO 
structure. 

4. Sign the TCGjQUOTEJNFO structure, using keyHandle as the signature key. 

5. Retum the resulting signature value in parameter sig. 
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6.3.4 TPM_DlrWrIteAuth 




?CG protected capability: the user must provide authoriza«on ftom the TPM Owner to execute function. 
Incoming Operands and Sizes 



PARAM 



HMAC 



1s 



2s 



3s 



2 m 

3 m 

4 HI 



SZ 



20 



Type 
TCG.TAG 



UINT32 
TCG_COMMAND_CODE 



TCG.DIRINDEX 



TCG.DIRVALUE 
TCG^AUTHHANDLE 



TCG_NONCE 
TCG.NONCE 
BOOL 
TCG_AUTHDATA 



Name 
tag 



paramSize 
ordinal 



Description 

TPM_TAG.RQUJVUTH1.C0MMANU 



dirindex 



newContents 
authHandle 



authLastNonceEven 
nonceOdd 
continueAuthSession 

ownerAuth 



Total number of input bytes inclu ding paramSize and tag 
Command ordinal: TPM.ORD.DirWriteAuth. 



Index of the DIR 



New value to be stored in named DIR 
The authorization handle used for command. 



Even nonce previousiy generated b y TPM to cover inpUte" 

Nonce generated by system associated with authHandle 

The continue use flag for the authorization handle 

The authorization digest for inputs. HMAC key: 
ownerAuth. 



Outgoing Operands and Sizes 



Version 1.1a 1 S t mber2001 



Page 143 

TCG Main Specification 



command 

2. Validate that dirtndex points to a valid DIR on this TPM 

3. Write newContents into the DIR pointed to by dirtndex 
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Type 

TCG protected capability. 
Incoming Operands and Sizes 



PARAfA 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UiNT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG^COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM^ORD_DirRead. 


4 


4 






TCG.DIRINDEX 


dirlndex 


index of the DlRtoberead 


Outs 


|oing ( 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


i:)escription 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


20 






TCG_DIRVALUE 


dirContents 


The current contents of the named DIR 



Actions 

1 . Validate that dirlndex points to a valid DIR on this TPM 

2. Return the contents of the DIR in dirContents 



Version 1.1a 1 Setember 2001 



TCG Main Specification 



Page 145 




Versi n 1.1a 1 Set mber2001 



TCG Main Specification 



Page 146 




Versi n1.1a 1 Setember2001 



TCG Main Specification 



Page 147 






fethe pnvateke 




dafaarBSUfficientto 



ffoijpedgSi^dr 



»ver. 



-than keysEa ufeqioi«o?'xyp4'My^^ 



Versi n1.1a 1 S tember2001 



TCG Main Specification 



Page 148 




Versi nl.la 1 S temb r2001 



TCG Main Specification P^9® ^ ^ ® 



7.1.2 Key Storage 

The number of asymmetric keys that are storable via a TPiVI SHOULD be limited only by the volume of 
storage available to the platform. 

The TPM SHALL ensure that the TCG_PERSISTENT_FLAGS -> tmpProof field is only included on TPM 
intemally generated non-migratable keys. The rationale is that the tmpProof field is confidential 
information and exposure of this information would lower the security of the system. 
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7.2.1 TPM Seal 




Type 

TPM function; user must provide authorization to use the key pointed to by keyHandle. 
Incoming Operands and Sizes 



PARAM 


HMAO 


Type 


Name 


Descriptton 


# 


SZ 


U 


SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSIze and 

tag 


3 


4 


1s 


4 


TCG^COMMAND.CODE 


ordinal 


Comnnand ordinal, fixed value of TPM.ORD_Seal. 


4 


4 






TCG_KEY_HANDLE 


keyHandle 


Handle of a loaded key that can perform seal 
operations. 


6 


20 


2s 


20 


TCG.ENCAUTH 


encAuth 


The encrypted authorization data for the sealed data. 
The encryption key is the shared secret from the OS- 
AP protocol. 


6 


4 


3s 


4 


UINT32 


pcrlnfoSize 


The size of the pcrlnfo parameter. If 0 there are no 
PGR registers in use 
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7 


<> 


4s 


<> 


TCG_PCR_IMFO 


pcrlnfo 


The PGR selection infonnatlon 


8 


4 


5s 


4 


UllNiT32 


inOataSize 


The size of the inData parameter 


9 


<> 


6s 


<> 


QVTEf 1 

BYTEll 


inData 


The data to be sealed to the platform and any specified 
PCRs 


10 


4 






TCG_AUTHHANDLE 


authHandle 


The authorization handle used for keyHandle 
authorization. Must be an OS^ session for this 
command. 






2hi 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


11 


20 


3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


12 




4 HI 


t 


BOOL 


continueAuthSession 


Ignored 


13 


20 






TCG^AUTHDATA 


pubAuth 


The authorization digest for inputs and keyHandle. 
HMAC key. key.usageAuth. 


Outs 


oing( 


)peranc 


Is and 


Sizes 


PARAM 


HMAC 


Type 


Nam 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


Is 


4 


TCG^RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG^COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Seal. 


4 


<> 


3s 


4 


TCG_STORED_DATA 


sealedData 


Encrypted, integrity-protected data object that is the result 
of the TPM.Seal operation. 


5 


"IT 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


f 


BOOL 


continueAutti Session 


Continue use flag, fixed value of FALSE 


7 


20 






TCG_AUTHDATA 


resAuth 


The authorizatnn digest for the returned parameters. 
HMAC key: key.usageAuth. 



Descriptions 

The string used for XOR encryption of the command variable named encAuth SHALL be tlie digest 
created by concatenating the shared session secret with the even numbered hash (generated by the 
TPM) and hashing the concatenated value. 

TPlVI_Seal is used to encrypt private objects that can only be decrypted using TPM_Unseal. 
Actions 

1 . If the inDataSize is 0 the TPM returns TCG_BAD_PARAMETER 

2. If the keyUsage field of the key indicated by keyHandle does not have the value 
TPM_KEY_STORAGE, the TPM must retum the error code TCGJNVALID_KEYUSAGB 

3. If the keyHandle points to a mig ratable key then the TPM MUST return the error code 
TCG INVALID_KEY_USAGE. 
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4 The TPM.Seal command MUST fill in a TPM_STORED_DATA stmcture. This structure includes a 
properly filled in and encrypted TCG.SEALED^DATA structure. The encryption key for the operation 
is the key pointed to by the keyHandle parameter. 

5. The TPM MUST set the TPM_STORED_DATA -> ver to the cun-ent TPM version. 

6 Create an XOR-string by concatenating the shared session secret with the even numbered hash 
(generated by the TPM) and hashing the concatenated value. Generate the plaintext authorization 
data for the sealed data by XORing the XOR-string with the variable encAuth. 

7. Set continueAuthSession to FALSE. 

8. If the data is wrapped to PCR's then 

a. The TPM MUST check that the pcrlnfo parameter is a consistent 
TCG_PCR_SELECtlGN structure. If not. the TPM MUST retum the error code 
TCG_BADINDEX. 

b. The TPM MUST compute a1 by creating TCG_COMPOSITE_HASH value using pcrlnfo - 
> pcrSelection as the input to the algorithm in 10.4.5. 

c. The TPM MUST set TPM.STORED.DATA -> seallnfo -> digestAtRelease to pcrlnfo -> 
digestAtRelease. 

d. The TPM MUST set TPM_STORED_DATA -> Seallnfo -> digestAtCreation to a1 

e. The TPM MUST set TPM_STORED_DATA -> seallnfoSize to the size of the 
TCG_PCRJNFO structure. 

9. Else 

a. The TPM MUST set TPM_STORED_DATA -> seallnfoSize to 0. 

10. The TPM provides no validation of the authorization data. Well known values like nulls are possible 
and allowed. 

1 1 . The TPM must ensure that the PAYLOAD_TYPE byte of any sealed data is set to the proper value to 
ensure that all encrypted elements can be distinguished from each other. 
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7.2.2 TPM_Unseal 




Type 

TPM protected capability; the user must provide authorizations to use the parent Icey pointed to by 

parentHandle. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descriptbn 


U 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM^TAG_RQU_AUTH2^C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSize and 
tag 


3 


4 


1s 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Unseal. 


4 


4 






TCG_KEY_HANDLE 


parentHandle 


Handle of a loaded key that can unseal the data. 


5 


<> 


2s 


<> 


TCG_STORED_DATA 


inOata 


The encrypted data generated by TPM_SeaI. 


6 


4 






TCG.AUTHHANDLE 


authHandle 


The authorization handle used for parentHandle. 






2 HI 


20 


TCG.NONCE 


authlastNonceEven 


Even nonce prevfously generated by TPM to cover 

inputs 


7 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


8 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


9 


20 






TCGJMrrHDATA 


parentAuth 


The authorization digest for inputs and parentHandle. 
HMAC key: parentKey.usageAuth. 


10 


4 






TCG_AUTHHANDLE 


dataAuthHandle 


The authorization handle used to authorize inOata. 






2k2 


20 


TCG.NONCE 


dataLastNonceEven 


Even nonce previously generated by TPM 


11 


20 


3h2 


20 


TCG.NONCE 


datanonceOdd 


Nonce generated by system assodated with 
entityAuthHandle 


12 


1 


4h2 


1 


BOOL 


continueDataSession 


Continue usage flag for dataAuthHandle. 


13 


20 






TCG.AUTHDATA 


dataAuth 


The authorization digest for the encrypted entity. HMAC 
key: entity.usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


M 
ir 




rr 




4 

J 


o 
c 






TCG.TAG 


tag 


TPM_TAG_RSP_AUTH2_C0MMAND 


2 


4 








parsmSize 


Total number of output bytes including paramSize and 
tag 


3 


4 


IS 


4 


TCG^RESULT 


returnCode 


The return code of the operatbn. See section 4.3. 






2s 


4 


TCG_C0M^4AND_C0DE 


ordinal 


Command ordinal, fixed value of TPM_0RD_Unseal. 


4 


4 


3s 


4 


UINT32 


sealedDataSize 


The used size of the output area for secret 


5 


<> 


4s 


<> 


BYTE[1 


secret 


Decrypted data tnat naa oeen seaiea 


6 


20 


2 HI 


20 


TCG_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonoeOdd 


Nonce generated by system associated with authHandte 


7 


1 


4 HI 


1 


BOOL 


continueAuthSesslon 


Continue use flag. TRUE if handle is still active 


8 


20 






TCG^AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC Icey: parentKey.usageAuth. 


9 


20 


2h2 


20 


TCG.NONCE 


dataNonceEven 


Even nonce newly generated by TPM. 






3h2 


20 


TCG_NONCE 


datanonoeOdd 


Nonce generated by system associated with 
dataAuthHandie 


10 


1 


4h2 


1 


BOOL 


continueDataSession 


Continue use flag, TRUE if handle Is still active 


11 


20 






TCG_AUTHDATA 


dataAuth 


The authorization digest used for the dataAuth session. 
HMAC Icey: entity.usageAuth. 



Actions 

1. The TPM I^UST validate that parentAuth authorizes the use of the key in parentHandle. On failure 
the TPM MUST return TCG_AUTHFAIL. 

2. If the keyUsage field of the key indicated by parentHandle does not have the value 
TPM_KEY_STORAGE, the TPM must return the error code TCGJNVALID_KEYUSAGE. 

3. The TPM MUST check that the TCG_KEY_FLAGS -> Migratable flag has the value FALSE in the key 
indicated by parentKeyHandle. If not, the TPM MUST return the error code 
TCGJNVALID_KEYUSAGE 

4. The TPM MUST create d1 by decrypting inData using the key pointed to by parentHandle. inData Is a 
TCG_STORED_DATA structure and the encrypted area is pointed to by inData -> encData. 

5. The TPM MUST check the integrity of the d1. The integrity check establishes that the d1 is a 
consistent TPM_SEALED_DATA structure created with by a TPM_Seal operation on the same TPM 
that is attempting the TPM_Unseal and that d1 has not been modified. 

a. The TPM MUST check that the d1 -> tpmProof matches TCG_PERSISTENT_DATA -> 
tpmProof. 

b. The TPM MUST calculate h1 by performing the same calculation that creates 
TPM„SEALED_DATA -> storedDigest 

c. The TPM MUST validate that h1 and d1 -> storedDigest match. 

d. The TPM MUST check the TCG_PAYLOAD„TYPE value and ensure that it is not 
decrypting a key. 
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e. If d1 fails the integrity cliecics, then the operation UUST return the enror 
TCG_NOTSEALED_BLOB. 

6 The TPM must validate the authorization to use d1. The TPM MUST validate the authorization in 
dataAuth matches the d1 -> authData parameter. The TPM MUST return TCG.AUTHFAIL on a 
mismatch. 

7. If inData is wrapped to PCR's then, 

a. The TPM MUST ensure that the PCRs to which the blob was sealed are the same as the 
PCRs' values that exist at the time of TPM_Unseal. 

b. The TPM MUST validate that inData -> pcrlnfo is a valid TCGJNFO^STRUCTURE. 

c. The TPM will create h1 by computing a composite hash using the inData -> pcrlnfo 
parameter as the input to the composite hashing algorithm (See 10.4.5). 

d. The TPM MUST compare hi with inData -> pcrlnfo -> digestAtRelease. On a mismatch 
the TPM MUST return TCG_WRONGPCRVALUE. 

8. else 

a. The TPM does not need to check PGR configuration. 
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7.2.4 TPM_UnBind 




Type 

. TCG protected capability; the user must provide authorization to use the Icey specified in the l^eyHandle 
parameter. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descriptbn 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_UnBind. 


4 


4 






TCG_KEY_HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can perfbmi 
UnBind operations. 


5 


4 


2s 


4 


UINT32 


inDataSize 


The size of the input blob 


6 


<> 


3s 


<> 


BYTE[1 


inOata 


Encrypted blob to be decrypted 


7 


4 






TCG_AUTH HANDLE 


authHandle 


The handle used for keyHandle authorization 






2 HI 


20 


TGG.NONCE 


ButhLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


10 


20 






TCG_AUTHDATA 


privAuth 


The authorization digest that authorizes the inputs and 
use of keyHandle. HMAC key: key.usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_UnBind 


4 


4 


3s 


4 


U1NT32 


outDataSize 


The length of the returned decrypted data 


5 


<> 


4s 


<> 


BYTE[1 


outData 


The resulting decrypted data. 


6 


20 


2 HI 


20 


TCG_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4 HI 


1 


BOOL 


conttnueAuth Session 


Continue use flag, TRUE if handle is still active 


8 


20 






TCG_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuth. 



Description 

iJnBind SHALL operate on a single block only. 
Actions 

The TPM SHALL perfonm the following: 

1 . If the inDataSize is 0 the TPM returns TCG_BAD_PARAIVIETER 

2. Validate the authorization to use the key pointed to by keyHandle 

3. If the keyUsage field of the key referenced by keyHandle does not have the value TPM_KEY_BIND 
or TPM_KEY_LEGACY. the TPM must return the enror code TCGJNVALID^KEYUSAGE 

4. Decrypt the inData using the key pointed to by keyHandle 

5. if (keyHandle -> encScheme does not equal TCG_ES_RSAESOAEP_SHA1_MGF1) and 
(keyHandle -> keyUsage equals TPM_KEY_LEGACY). 

a. The payload does not have TCG specific markers to validate, so no consistency check 
can be performed. 

b. Set the output parameter outData to the value of the decrypted value of inData. (Padding 
associated with the encryption wrapping of inData SHALL NOT be returned.) 

c. Set the output parameter outDataSize to the size of outData, as deduced from the 
decryption process. 

d. Return the output parameters. 



6. else 



Interpret the decrypted data under the assumption that it is a TCG_BOUND_DATA 
structure, and validate that the payload type is TCG_PT_BIND 

Set the output parameter outData to the value of TCG_BOUND_DATA -> payloadData. 
(Other parameters of TCG_BOUND_DATA SHALL NOT be returned. Padding associated 
with the encryption wrapping of inData SHALL NOT be returned.) 

Set the output parameter outDataSize to the size of outData, as deduced from the 
decryption process and the interpretation of TCG_BOUND_DATA. 
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d. Return the output parameters. 
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7.2.5 TPM.CreateWrapKey 




TCG protected capability; the user must provide authorization to use the key indicated by parentHandle. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 






1 


2 






TCG TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSize and 
tag 


3 


4 


Is 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateWrapKey 


4 


4 






TCG_KEY.HANDLE 


parentHandle 


Handle of a loaded key that can perfonn key wrapping. 


5 


20 


2s 


20 


TCG^ENCAUTH 


dataUsageAuth 


Encrypted usage authorization data for the sealed data. 


6 


20 


3s 


20 


TCG_ENCAUTH 


dataMigrationAuth 


Encrypted migration authorization data for the seated 
data. 


7 


<> 


4s 


<> 


TCG.KEY 


keylnfo 


Information about key to be created, pubkey.keyLength 
and keylnfo.encData elements are 0. 


8 


4 






TCG.AUTHHANDLE 


authHandle 


The authorization handle used for parent key 
authorizatkm. Must be an OS_AP session. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by tPM to cover 
inputs 


9 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


10 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Ignored 


11 


20 






TCG_AUTHDATA 


pubAuth 


The authorization digest that authorizes the use of the 
public key in parentHandle. HMAC key: 
parentKey.usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCG RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM^ORD.CreateWrapKey 


4 


<> 


4s 


<> 


TCG.KEY 


wrappedKey 


The TCG.KEY structure which includes the public and 
encrypted private key 


5 


20 


2 HI 


20 


TCG^NONCE 


nonceEven 


Even nonce newty generated by TPM to cover outputs 






3hi 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed at FALSE 


7 


20 






TCG_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: parentKey.usageAuth. 



Descriptions 

This command requires the encryption of two parameters. To create two XOR strings the caller combines 
the two nonces in use by the OSAP session with the session shared secret 

DataUsageAuth is XOR'd with the SHA-1 hash of the concatenation of the OSAP session shared secret 
with the even numbered nonce generated by the TPM (authLastNonceEven). MigrationAuth is XOR d with 
the SHA-1 hash of the concatenation of the OSAP session shared secret with the odd numbered nonce 
generated by the caller (nonceOdd). 

Actions 

The TPM SHALL do the following: 

1 . Validate the authorization to use the key pointed to by parentHandle. Retum TCG_AUTHFAIL on any 
error. 

2. Validate the session type for parentHandle is OS-AP. 

3. If the TPM is not designed to create a key of the type requested in keylnfo. return the error code 
TCG_BAD_KEY_PROPERTY 

4. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE 

5. If parentHandle -> keyFlag -> migratable is TRUE and keylnfo -> keyPlag -> migratabie is FALSE 
then return TCGJNVALID_KEYUSAGE 

6. Validate key parameters 

a keylnfo -> keyUsage MUST NOT be TPM^KEYJDENTITY or 
TPM_KEY_AUTHCHANGE. If it is, return TCGJNVALID.KEYUSAGE 

b. If iceyinfo -> keyUsage equals TPM_KEY.STORAGE 

i. algorithmID MUST be TCG_ALG_RSA 

ii. encScheme MUST be TCG_ES_RSAESOAEP_SHA1_MGF1 
iti. sigScheme MUST be TCG_SS_NONE 

iv. key size MUST be 2048 

7. Create the two XOR patterns by using the session key and the nonces for this transaction 
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8. Set continueAuthSession to FALSE 

9. Decrypt the DatallsageAutli and DataMigrationAuth parameters 

10. Generate asymmetric key according to algorithm information in key Info 

11. Fill in the wrappedKey structure with infonnation from the newly generated key. 

a. Set the auth member of this structure to the decrypted values of DataUsageAuth. 

b. The TPM MUST set the wrappedKey -> ver to the current TPM version. 

c. If the KeyFlags -> migratable bit is set to 1 , the wrappedKey -> encData -> migrationAuth 
SHALL contain the decrypted value from DataMigrationAuth. 

d. If the KeyFlags -> migratable bit is set to 0. and wrappedKey -> encData -> 
migrationAuth SHALL be set to the value tpmProof. 

e If wrappedKey->PCRInfoSize is non-zero, the TPM MUST set wrappedKey-> Pcrlnfo -> 
digestAtCreation to the value of a TCG_COMPOSITE_HASH structure created using 
pcrlnfo -> pcrSelection as the input to the algorithm in 10,4.5 

12. Encrypt the private portions of the wrappedKey structure using the key in keyHandle 

13. Return the newly generated key in the wrappedKey parameter 
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7.2.6 TSS^WrapKey 




Actions 

The TSS SHOULD do the following: 

1 . If the keyUsage field of PubKey does not have the value TPM_KEY_STORAGE. the TSS must return 
the error code TCGJNVALID.KEYUSAGE 

2. Validate the TCG_STORE_ASYMKEY structure 

3. Fill in the TCG_STORE_ASYMKEY structure with the authorization and usage parameters 

4. Set KeyFlags.migratable to 1 

5. Set all other KeyFlags members to the values in KeyFlags parameter 

6. Set TCG_STORE_ASYMKEY.pcrDigest to 20 bytes of value OxFF. 

7. Encrypt the TCG_STORE_ASYMKEY stmcture using the publcey parameter 

8. Retum the entire TCG_KEY structure 
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The TSS SHOULD do the following: 

1. If the keyUsage field of PubKey does not have the value TPM_KEY_STORAGE, the TSS must return 
the en-or code TCG JNVALID_KEYUSAGE 

2. Validate the TCG_STORE_ASYIVIKEY structure 

3. Fill in the TCG_STORE_ASYMKEY structure with the authorization and usage parameters 

4. Set KeyFlags.migratable to 1 

5. Set all other KeyFlags members to the values in KeyFlags parameter 

6. Set TCG_STORE_ASYMKEY.pcrDigest to TargetPCRHash 

7. Encrypt the TCG_STORE_ASYMKEY stmcture using the pubkey parameter 

8. Retum the entire TCG_KEY stmcture 
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7.2.8 TPM^LoadKey 




Type 

TCG protected capability; user must provide authorization to use the parent key pointed to by 
parentHandle. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descfiption 


# 


SZ 




SZ 






1 


2 






TCG.TAG 


tag 


TPM^TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramStze 


Total number of Input bytes including paran^ize and tag 


3 


4 


1s 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_LoadKey. 


4 


4 






TCG.KEY^HANDLE 


parentHandle 


TPM handle of parent key. 


5 


<> 


2s 


<> 


TCG.KEY 


InKey 


Incoming key stiucture, both encrypted private and dear 
public portions. 


6 


4 






TCG.AUTHHANDLE 


authHandle 


The authorization handle used for parentHandle 
authorization. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 
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7 


20 


3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4 HI 


1 


BOOl 


continueAuthSession 


The continue use flag for the authorization handle 


9 


20 






TCG.AUTHDATA 


parentAuth 


The authorization digest for inputs and parentHandie. 
HMAC key: parentKey.usageAuth. 


Outg 


oing C 


)peranc 


is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SI 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See sectron 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Comnnand ordinal: TPM_ORD_LoadKey 


4 


4 


3s 


4 


TCG.KEY.HANDLE 


inkeyHandle 


Internal TPM handle where decrypted key was loaded. 


5 


20 


2 HI 


20 


TCG_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


1 


BOOL . 


continueAuthSession 


Continue use flag, TRUE If handle is still active 


7 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters, 
HMAC key: parentKey.usageAuth. 



Actions 

The TPM SHALL perfonn the following steps: 

1. If the TPM is not designed to operate on a key of the type specified by inKey. return the enror code 
TCG_BAD_KEY_PROPERTY 

2. Validate the authorization to use the key in parentHandie 

3 If the keyUsage field of the key referenced by parent handle does not have the value 
TPM_KEY_STORAGE. the TPM must return the error code TCGJNVALID^KEYUSAGE 

4. Decrypt the inKey -> privkey to obtain TCG_STORE_ASYMKEY structure using the key in 
parentHandie 

5. Validate the integrity of inKey and decrypted TCG_STORE_ASYMKEY 

a. Reproduce inKey -> TCG.STORE_ASYMKEY -> pubDataDigest using the fields of 
inKey, and check that the reproduced value is the same as pubDataDigest 

6. Validate the consistency of the key and it's key usage. 

a. If inKey -> keyFlags -> migratable Is TRUE, the TPM SHALL verify consistency of the 
public and private components of the asymmetric key pair. If inKey -> keyFlags -> 
migratable is FALSE, the TPM MAY verify consistency of the public and pnvate 
components of the asymmetric key pair. The consistency of an RSA key pair MAY be 
verified by dividing the supposed (P*Q) product by a supposed prime and checking that 
there Is no remainder.. 

b If inKey -> keyUsage is TPM^KEYJDENTITY. verify that inKey->keyFlags->mlgratable Is 

FALSE. If it is not. return TCGJNVALID^KEYUSAGE 
c. If inKey -> keyUsage is TPM_KEY.AUTHCHANGE. return TCGJNVALID.KEYUSAGE 
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d. If InKey -> keyFlags -> migratable equals 0 then verify that TCG„STORE_ASYMKEY -> 
migration equals TCG_PERSISTENT_DATA -> tpmProof 

e. Validate the mix of encryption and signature schemes according to section 4.10.1 

f. If inKey -> keyUsage is TPM_KEY_STORAGE 

I. algorithmID MUST be TCG_ALG_RSA 

ii. Key size MUST be 2048 

iii. sigScheme MUST be TCG_SS_NONE 

g. If InKey -> keyUsage is TPM.KEYJDENTITY 

1. algorithmID MUST be TCG_ALG_RSA 

ii. Key size MUST be 2048 

iii. encScheme MUST be TCG„ES_NONE 

h. If the decrypted InKey ->pcrlnfo is not NULL, 

i. The TPM validates that inKey -> pcrlnfb -> pcrSelection points to at least one 
PGR register. If no PGR registers are selected the TPM MUST NOT perform any 
further checks regarding PGR registers with the loaded key. 

ii. The TPM MUST store the list of active PGR registers in a manner that allows the 
TPM to access this list whenever the loaded key is used for any function. 

ill. Every time before the loaded key is used, the inkey -> PCRInfo structure from 
TPM_LoadKey MUST be used to verify that the cun-ent PGR state is conrect. The 
TPM MUST ensure that the PGRs to which the key was sealed are the same as 
the PGRs' values that exist at the time of key usage. To do this, the TPM will 
compute a TCG_GOMPOSITE_HASH value using the inkey -> pcrlnfo -> 
pcrSelection -> pcrSelect parameter as the input to the composite hashing 
algorithm (See 10.4.5). 

iv. If the resulting composite hash matches the Inkey -> PGRInfo -> digestAtRelease 
parameter, the TPM is pemnitted to use the key. Otherwise, if the composite 
hashes do not match, the TPM is NOT pemriitted to use the key in the current 
PGR state, and the TPM MUST return TCGJ/VRONGPCRVAL. 

L If the decrypted InKey -> pcrlnfo is NULL, 

i. The TPM MUST set the Intemal indicator to indicate that the key is not using any 
PGR registers. 

7. Perfomi any processing necessary to make TGG^STORE^ASYMKEY key available for operations 

8. Load key and key infonnation into intemal memory of the TPM. If insufficient memory exists return 
en-or TGG^NOSPAGE. 

9. Assign inKeyHandle according to internal TPM mles. 

10. Set InKeyHandle -> parentPGRStatus to parentHandle -> parentPGRStatus. 

11. If ParentHandle indicates it is using PGR registers then set inKeyHandle -> parentPGRStatus to 
TRUE. The TPM creates an indicator of PGR usage in step B.h.ii above. This indicator is intemal to 
the TPM but MUST accurately reflect the sealing of a key to a PGR register. 
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7.2.9 TPM^EvlctKey 



Type 

TPM command. Non-authorized. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descrip^n 


n 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG.RQU^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND^CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_EvlctKey 


4 


4 






TCG.KEY.HANDLE 


evidHandle 


The handle of the key to be evicted. 


Outg 


joing ( 


)peraii 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retunfiCode 


The return code of the operation. See section 4.3. 



The TPM will invalidate the key stored in the specified handle and retum the space to the available 
internal poo! for subsequent query by TPM_GetCapabillty and usage by TPiy/l_LoadKey. If the specified 
key handle does not conrespond to a valid key, an error will be returned. 
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7.2.10 TPM.GetPubKey 




TCG protected capability; user must provide authorization to use the l^ey pointed to by keyHandle. 



Incoming Operands and Sizes 





HMAC 


Type 


Name 


Description 


n 


SZ 




SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






U1NT32 


paramSize 


Total numtwr of Input bytes induding paraniSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPI\^.ORD.GetPubKey. 


4 


4 






TCG_KEY_HANDLE 


keyHandle 


TPM handle of key. 


5 


4 






TCGJVUTHHANDLE 


authHandie 


The authorization handle used for keyHandle 
authorization. 






2hi 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandie 


7 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


8 


20 






TCG.AUTHDATA 


keyAuth 


The authorization digest for inputs and keyHandle. HMAC 
key: key.usageAuth. 


Outs 


oingC 


)peran( 


Is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Descriptton 


# 


SZ 


j» 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


Is 


4 


TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_GetPubKey. 


4 


<> 


3s 


<> 


TCG_PUBKEY 


pubKey 


Public portion of key in keyHandle. 


5 


20 


2hi 


20 


TCG_NONCE 


nonceEven 


Even nonce newiy generated by TPM to cover outputs 






3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandie 


6 


1 


4hi 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TCG_AUTHDATA 


resAuth 


The authorizatnn digest for the returned parameters. 
HMAC key: key.usageAuth. 



Actions 

The TPM SHALL perform the following steps: 

1 . Validate the authorization to use the key in keyHandle 

2. Create a TCG_PUBKEY structure and return 
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7.2.11 TPM_CreateMlgrationBI b 

%to a nevv parent%7platl|*"^ ^^^'^ 




Type 

TCG protected capability; user must provide 
InData. 

Incoming Operands and Sizes 



authorizations for the entity pointed to by parentHandle and 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG_RQU_AUTH2_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of Input bytes induding paramSize and 
tag 


3 


4 


1s 


4 


TCG_COMMAND_C0DE 


ordinal 


Command ordinal: TPM.ORD^CreateMigrationBlob 


4 


4 






TCG_KEY_HANDLE 


parentHandle 


Handle of the parent key that can decrypt encData. 


5 


2 


2s 


2 


TCG.MIGRATE.SCHEME 


migrationType 


The migration type, either MIGRATE or RE WRAP 


6 


<> 


3s 


<> 


TCG.MIGRATIONKEYAUTH 


migrationKeyAuth 


Migration public key and its authorization digest. 


7 


4 


4s 


4 


UINT32 


encDataSize 


The size of the encData parameter 


8 


<> 


5s 


<> 


BYTEI] 


encData 


The encrypted entity that is to be modified. 


9 


4 






TCG_AUTHHANDLE 


parentAuth Handle 


The authorization handle used for the parent key. 






2hi 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


10 


20 


3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with 
parentAuthHandle 


11 


1 


4 HI 


1 


Boa 


continueAuthSession 


Continue use flag for parent session 


12 


20 




20 


TCG_AUTHDATA 


parentAuth 


The authorizatnn digest for Inputs and 
parentHandle. HMAC key. parentKey.usageAuth. 
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13 


4 






TCG.AUTHHANDLE 


entityAuthHandle 


The authorization handle used for the encrypted 

entity. 






2h2 


20 


TCG.NONCE 


entitylastNonceEven 


Even nonce previously generated by TPM 


14 


20 


3h2 


20 


TCG.NONCE ^ 


entitynonceOdd 


Nonce generated by system associated with 
entityAuthHandle 


15 


1 


4h2 


1 


BOOL 


continueEntltySession 


Continue use flag for entity session 


16 


20 






TCG_AUTHDATA 


entityAuth 


The authorization digest for the inputs and encrypted 
entity. HMAC key: entity.migrationAuth. 


Outg 


oingC 


)peran(j 


Is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




C 


A 
*t 






UINT32 


paramSize 


Tnfai ntimher nf niitniit h\/tes IndudlnQ DsramSize 
and tag 


3 


4 


Is 


' 4 


TCG_RESULT 


retumCode 


Th A rah im /«nrlo Af fha nnaraKnn !<!pp QPCtlon 4 3 

ine reiurn couc oi ino upeiauuii* wcc acwuwii 






2s 


4 


TCG.COMMAND^CODE 


ordinal 


Command ordinal: TPM_ORD_CreateMlgrationBlob 


4 


4 


3s 


4 


U1NT32 


randomSize 


The used size of the output area for random 


5 


<> 


4s 


<> 


BYTEO 


random 


String used for xor encryption 


6 


4 


5s 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


7 


<> 


6s 


<> 


BYTE[] 


outData 


The modified, encrypted entity. 


8 


20 


3 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover 
outputs 






4 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with 
parentAuthHandle 


9 


1 


5 HI 


f 


BOOL 


oontinueAuthSession 


Continue use flag for parent icey session 


10 


20 




20 


TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters 
and parentHandle. HMAC key: 
parentKey.usageAuth. 


11 


20 


3h2 


20 


TCG.NONCE 


entityNonceEven 


Even nonce newly generated by TPM to cover entity 






4h2 


20 


TCG.NONCE 


entitynonceOdd 


Nonce generated by system associated with 
entityAuthHandle 


12 


1 


5H2 


1 


BOOL 


entityContinueAuthSessio 
n 


Continue use flag for entity sesston 


13 


20 






TCG_AUTHDATA 


entityAuth 


The authorization digest for the returned parameters 
and entity. HMAC key: entity.migrationAuth. 



Description 

The TPM does not check the PGR values when migrating values locked to a PCR. 

The second authorisation session (using entityAuth) MUST be OIAP because OSAP does not have a 

suitable entityType 

Actions 

1 . Validate that parentAuth authorizes the use of the key pointed to by parentHandle. 
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2. Create d1 by decrypting encData using the Icey pointed to by parentHandle. 

3. Validate that entityAuth authorizes the migration of d1 . The validation MUST use d1 -> migrationAuth 
as the secret. 

4. Verify that the digest within migrationKeyAuth is legal for this TPM and public key 

5. If migrationType ~ TCG_MS_MIGRATE the TPM SHALL perform the following actions: 

a. Build a TCG_STORE_PRlVKEY structure from the d1 key. This privKey element should be 
132 bytes long for a 2K RSA key. 

b. Create k1 and k2 by splitting the prIvKey element created In step a into 2 parts. k1 Is the first 
20 bytes of privKey, k2 contains the remainder of privKey. 

c Build m by filling in the usageAuth and pubDataDigest fields within a 
TCG_MIGRATE_ASYMKEY stmcture using data from the d1 key. The privKey field should 
be set to k2 (step g) and payload should be set to TCG_PT_MIGRATE. 

d. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP 
encoding of m using OAEP parameters of 

i. m = TCG_MIGRATE_ASYMKEY stmcture (step c) 

ii. pHash = d1 ->migrationAuth 

iii. seed = 5l = k1 (step g) 

e. Create r1 a random value from the TPM RNG. The size of r1 MUST be the size of o1 . Retum 
r1 in the Random parameter. 

f. Create x1 by XOR of o1 with r1 

g. Copy r1 into the output field "random". 

h. Encrypt x1 with the migration public key included in migrationKeyAuth. 

6- If migrationType == TCG_MS_REWRAP the TPM SHALL perform the following actions: 

a. Rewrap the key using the public key in migrationKeyAuth. keeping the existing contents of 
that key. 

b. Set randomSize to 0 in the output parameter aray 
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7.2.12 TPM.C nvertMlgrati nBlob 




Type 

TCG protected capability; user must provide authorization to use the key in parentHandle 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


A/ame 


Descnptson 


# 


SZ 


# 


SZ 






1 


2 






TCG^TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSize and tag 


3 


4 


Is 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ConvertMigrationBlob. 


4 


4 






TCG_KEY_HANDLE 


parentHandle 


Handle of a loaded key that can decrypt keys. 


5 


4 


2s 


4 


UiNT32 


inDataSize 


Size of inData 


6 


<> 


3s 


<> 


BYTE[1 


inData 


The XOR'd and encrypted key 


7 


4 


4s 


4 


UINT32 


randomSize 


Size of random 


8 


<> 


5s 


<> 


BYTE[] 


random 


Random value used to hide key data. 


9 


4 






TCG_AUTHHANDLE 


authHandle 


The authorization handle used for keyHandle. 






2 HI 


20 


TCG.NONCE 


auttiLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


10 


20 


3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


11 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


12 


20 






TCG_AUTHDATA 


parentAuth 


The authorization digest that authorizes the inputs and 
the migration of the key in parentHandle. HMAC key: 
parentKey.usageAuth 


Outs 


f oing ( 


>peran( 


teand 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


» 


SZ 








1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


1s 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal: TPM.ORD.ConvertMigrationBlob 


4 


4 


3s 


4 


UINT32 


outDataSize 


The used size of the output area for outData 
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5 


<> 


4s 


<> 


BYTE[1 


outData 


The encrypted private key that can be loaded with 
TPM.LoadKey 


6 


20 


2hi 


20 


TCG_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4hi 


1 


BOOL 


continueAuthSessbn 


Continue use flag. TRUE if handle is still active 


8 


20 






TCGJMJTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: parentKey.usageAuth 



Action 

The TPM SHALL perform the following: 

1. Validate the authorization to use the key in parentHandle 

2 If the keyUsage field of the key referenced by parentHandle does not have the value 
TPM_KEY_STORAGE, the TPM must retum the en"or code TCG JNVALID^KEYUSAGE 

3. Create d1 by decrypting the inData area using the key In parentHandle 

4. Create o1 by XOR d1 and random parameter 

5. Create m1 , seed and pHash by OAEP decoding o1 

6. Verify that the payload type is TCG_PT_MIGRATE 

7. Create k1 by combining seed and the TCG_MIGRATE_ASYMKEY.data field 

8. Create 62 a TCG_STORE_ASYMKEY stmcture by inserting pHash as the migration authorization 
field. Set the TCG_STORE_ASYMKEY -> privKey field to k1 

9. Create outData using the key in parentHandle to perform the encryption 
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Type 

TCG protected capability; user must provide authorization from the TPM Owner 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






U1NT32 


paramSIze 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed at 
TPM_ORD_AuthorizeMigrationKey 


4 


2 


2s 


2 


TCG_MIGRATE_SCHEME 


migrateScheme 


Type of migration operation that is to be permitted for 
this key. 


4 
5 


<> 


3s 


<> 


TCG.PUBKEY 


migratlonKey 


The public key to be authorized. 


4 






TCGJVUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2 HI 


20 


TCG_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


6 


20 


3 HI 


20 


TCG.NONCE 


nonoeOdd 


Nonce generated by system associated with authHandle 


7 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


8 


20 






TCGJVUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outs 


loing ( 


3peranc 


Is and 


Sizes 


PARAM 


HMAC 


Type 


A/ame 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and 
tag 


3 


4 


1s 


4 


TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed at 
TPM.ORD.AuthorizeMigrationKey 


4 


<> 


3s 


o 


TCG.MIGRATIONKEYAUTH 


outData 


Returned public key and authorizatkm digest. 


5 


20 


2hi 


20 


TCG^NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


6 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 
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resAuth 


The authorization digest for the returned parameters. 


7 


20 1 


1 TCG^UTHDATA 


HMAC key; ownerAuth. 



Action 

The TPM SHALL perform the following: 

1. Check that the cryptographic strength of migrationKey is at least that of a 2048 bit RSA key. If 
mIgrationKey is an RSA key. this means that migrationKey MUST be 2048 bits or greater 

2. Validate the authorization to use the TPM by the TPM Owner 

3. Create a f1 a TCG_MIGRATIONKEYAUTH stmcture 

4 "Verify that migratlonKey-> algorithmParms -> encScheme is TCG_ES_RSAESOAEP_SHA1_MGF1 , 
and return the error code TCGJNAPPROPRIATE.ENC if it is not 

5. Set f1 -> migrationKey to the input migrationKey 

6. Set f1 -> migrationScheme to the input migratlonScheme 

7. Create v1 by concatenating (migrationKey || migratlonScheme || TCG_PERSISTENT_DATA -> 
tpmProof) 

8. Create h1 by performing a SHA1 hash of v1 

9. Set f1 -> digest to h1 

10. Return f1 as outData 
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7.3 TPM Optional Functions; Maintenance 
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nanufacturefj 



Any migration of non-migratory data protected by a Subsystem SHALL require the cooperation of both the 
Owner of that non-migratory data and the manufacturer of that Subsystem. That manufacturer SHALL 
NOT cooperate in a maintenance process unless the manufacturer is satisfied that non-migratory data will 
exist in exactly one Subsystem. A TPM SHALL NOT provide capabilities that support migration of non- 
migratory data unless those capabilities are described in the TCG specification. 
The maintenance feature MUST move the following 

• TCG.KEY for SRK. The maintenance process will reset the SRK authorization to match the TPM 
Owners authorization 

• TCG_PERSISTENT_DATA -> tpmProof 

• TPM Owners authorization 
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7.3.1 TPIVI_CreateMaintenanceArchiv 




Type 

Optional; TCG protected capability; user must provide authentication from the TPM Owner. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descffptibn 


# 


SZ 


U 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total numt)er of input bytes induding paramSize and tag 


3 


4 


1s 


4 


TCG_COIWMAND_CODE 


ordinal 


Cmd ordinal: TPM_ORD_CreateMaintenanceArchive 


4 


1 


2s 


1 


BOOL 


generateRandom 


Use RNG or Owner auth to generate 'random*. 


5 


4 






TCG.AUTHHANDLE 


authHandie 


The authorization handle used for owner authorization. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3 m 


20 


TCG^NONCE 


nonceOdd 


Nonce generated by system associated with authHandie 


7 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


8 


20 






TCG.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorizatbn. HMAC key: ownerAuth. 


Outg 


oing ( 


)peranc 


is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


U 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSPJ>^UTH1^C0MMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND.CODE 


ordinal 


Cmd ordinal: TPM.ORD^CreateMaintenanceArchive 


4 


4 


3s 


4 


U1NT32 


randomSize 


Size of the returned random data. Will be 0 if 
generateRandom is FALSE. 


5 


<> 


4s 


<> 


BYTE[] 


random 


Random data to XOR with result. 


6 


4 


5s 


4 


U1NT32 


archiveSize 


Size of the encrypted archive 


7 


<> 


6s 


<> 


BYTE[] 


archive 


Encrypted key archwe. 


8 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandie 


9 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


10 


20 






TCG_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 
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Acti ns 

Upon autlnorizatlon being confinmed this command does the following: 

1 Validates that the TCG_PERSISTENT_FI-AGS -> AllowMaintenance is TRUE. If it is FALSE, the 
TPM SHALL retum TCG_DISABLED_CMD and exit this capability. 

2. Validates the TPM Owner authorization. 

3. If the value of TCG_PERSISTENT_DATA -> ManuMaintPub is zero, the TPM MUST retum the enror 
code TCG^KEYNOTFOUND 

4 Build a1 a TCG KEY structure using the SRK. The encData field is not a nomial 
' TCG_STORE^ASYIviKEY structure but rather a TCG_M1GRATE_ASYMKEY structure built using the 
following actions. 

5. Build a TCG_STORE_.PRIVKEY structure from the SRK. This privKey element should be 132 bytes 
long for a 2K RSA key. 

6. Create k1 and k2 by splitting the privKey element created in step 4 into 2 parts. k1 is the first 20 bytes 
of privKey, k2 contains the remainder of privKey. 

7. Build ml by creating and filling in a TCG_MIGRATE_ASYMKEY structure 

a. ml -> usageAuth is set to TCG_PERSISTENT_.FIELDS -> tmpProof 

b. m1 -> pubDataDigest is set to the digest value of the SRK fields from step 4 

c. ml -> payload Is set to TCG_PT_MA1NT 

d. ml -> partPrivKey is set to k2 

8. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by perfomriing the OAEP encoding of 
m using OAEP parameters of 

a. m = TCG_MIGRATE_ASYMKEY stmcture (step 7) 

b. P = TCG_PERSISTENT_F1ELDS -> ownerAuth 

c. seed = sf = k1 (step 6) 

9. If GenerateRandom = TRUE 

a. Create r1 by obtaining values from the TPM RNG. The size of r1 MUST be the same size 
as o1 . Set RandomData parameter to r1 

10. If GenerateRandom = FALSE 

a. Create r1 by applying MGF1 to the TPM Owner authorization data. The size of r1 MUST 
be the same size as o1 . Set RandomData parameter to null. 

1 1 . Create x1 by XOR of o1 with r1 

12. Encrypt x1 with the ManuMaintPub key using the TCG.ES^RSAESOAEP^SHA1_MGF1 encryption 
scheme. 

13. Set a1 -> encData to x1 

14. Retum a1 in the archive parameter 
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Optional; TCG protected capability; user must provide authentication from the TPM 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Deschptton 


# 


S7 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total nunit)er of input bytes including paramSize and tag 


3 


4 


1 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_LoadMaintenanceAfChive 














Vendor specific arguments 




4 






TCG^AUTHHANDLE 


ButhHandle 


The auttiorization handle used for owner authorization. 








20 


TCG.NONCE 


ButhLastNonceEven 


Even nonce previously generated by TPM to cover inputs 




20 




20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandte 




1 




1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 




20 






TCG^AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ovtmerAuth. 


Outg 


|oing< 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes Including paramSize and tag 


3 


4 


1 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD^LoadMaintenanceArchive 














Vendor specific arguments 




20 




20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 








20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 




1 




1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 




20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC liey: ownerAuth. 



Descriptions 

The maintenance mechanisms in the TPM MUST not require the TPM to hold a global 
definition of global secret Is a secret value shared by more than one TPM. 
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The TPME is not allowed to pre-store or use unique Identifiers in the TPM for the purpose of 
maintenance The TPM MUST NOT use the endorsement key for identification or encryption m the 
^SSS!^' process tTL process MAY use a TPM Identity to deliver maintenance 

infomriation to specific TPM's. 

The maintenance process can only change the SRK. tpmProof and TPM Owner authorization fields. 
The maintenance process can only access data in shielded locations where this data is necessary to 
validate the TPM Owner, validate the TPME and manipulate the blob 

The TPM MUST be conformant to the TCG specification, protection profiles and security targets after 
maintenance. The maintenance MAY NOT decrease the security values from the onginal security target. 

The security target used to evaluate this TPM MUST include this command in the TOE. 
Actions 

The TPM SHALL perfomn the following when executing the command 
1 . Validate the TPM Owner's authorization 

2 Validate that the maintenance information was sent by the TPME. The validation mechanism MUST 
use a sfrength of function that is at least the same strength of function as a digital signature 
performed using a 2048 bit RSA key. 

3. The packet MUST contain m2 as defined in 7.3.1 

4 Ensure that only the target TPM can interpret the maintenance packet. The protection mechanism 
' MUST use a strength of function that is at least the same strength of function as a digital signature 
performed using a 2048 bit RSA key. 

5. Process the maintenance infomiation and update the SRK and TCG.PERSISTENT.DATA -> 
tpmProof fields. 

6. Set the SRK useageAuth to be the same as TPM Owners authorization 
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7.3.3 TPM_KillMaint nanceF ature 




Type 

Optional; TCG protected capability; user must provide authentication from the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


S2 




SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes Induding paramSize and tag 


3 


4 


Is 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_KillMaintenanceFeature 










TCG_AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


5 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


7 


20 






TCG_AUTHDATA 


ownerAuth 


The authorizatton digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Out£ 


loing ( 


Operant 


Is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Descriptton 


# 


SZ 




SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSPJVUTH1.C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


1s 


4 


TCG.RESULT 


retumCode 


The retum code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_KillMaintenanceFeature 


4 


20 


2 HI 


20 


TCG_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system assoaated with authHandle 


5 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE If handle is still active 


6 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Actions 
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1 . Validate the TPM Owner authorization 

2. Set the TCG_PERSISTENT„FLAGS.AIIowMaintenance flag to FALSE. 
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7.3.4 TPM_LoadManuMaintPub 




Incoming Operands and Siies 



PARAM 


HMAC 


Type 


Name 


Description 


n 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_LoadManuMaintPub 


4 


20 






TCG.NONCE 


antiReplay 


AntiReplay and validation nonce 


5 


<> 






TCG_PUBKEY 


pubKey 


The public key of the manufacturer to be in use for 
maintenance 


Outc 


loing ( 


}peran( 


Is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Descriptkm 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


returnCode 


The return code of the operation. See section 4.3. 










TCG.COMMAND_CODE 


ordinal 


Command ordinal: TPM.ORD.LoadManuMaintPub 


4 


20 






TCG.DIGEST 


checksum 


Digest of pubKey and antiReplay 



Type 

Optional; TCG protected capability 
Description 

The pubKey IVIUST specify an algorithm whose strength is not less than the RSA algorithnn with 2048bit 
Iceys. 

pubKey SHOULD unambiguously identify the entity that will perfbnm the maintenance process with the 
TPM Owner. 

TCG_PERSISTENT_DATA-> ManulVlaintPub SHALL exist in a TCG-shielded location, only. 

If an entity (Platform Entity) does not support the maintenance process but Issues a platform credential 

for a platform containing a TPM that supports the maintenance process, the value of 

TCG.PERSISTENT.DATA -> ManuMaintPub MUST be set to zero before the platform leaves the entity s 

control. 
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Actions 

The first valid TPM_LoadManuMaintPub command received by a TPM SHALL 

1 . Store the parameter pubKey as TCG_PERSISTENT_DATA -> ManuMaintPub. 

2. Create "checksum" by concatenating data to form (pubKey||antiReplay) and passing 
concatenated data through a SHA-1 hash process. 

3. Export the checksum 

Subsequent calls to TPM_LoadManuMaintPub SHALL return code TCG.DISABLED.CMD. 
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7.3.5 TPM_ReadManuMaintPub 




incoming Operands and Sizes 



PAHAM 




Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






UINT32 


paramSIze 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM^ORD_ReadManuMaintPub 


4 


20 






TCG^NONCE 


antiReplay 


AntiReplay and validation nonce 


Outg 


oingC 


)peranc 


is and 


Sizes 


PARAM 




Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TGG^TAG 


tag 


TPM^TAG.RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The retum code of the operation. See section 4.3. 










TCG.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_ReadManuMaintPub 


4 


20 






TCG^DIGEST 


checlcsum 


Digest of pubKey and antiReplay 



Type 

Optional; TCG protected capability 
Description 

This command returns the hash of the antiReplay nonce and the previously loaded manufacturer's 

maintenance public key. 

Actions 

The TPM_ ReadManulVlaintKey command SHALL 

1. Create "checksum" by concatenating data to form (TCG.PERSISTENT_DATA -> IVIanuMaintPub 
llantlReplay) and passing the concatenated data through SHA1. 

2. Export the checksum 
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8. Cryptographic and Misc llaneous Functions 
8.1 Introduction 
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8.2 TPM Hash Operati ns 




The only commands that SHALL be presented to the TPM in-between a tPM_SHA1 Start command and 
a TPM_^SHA1 Complete command SHALL be a variable number (possibly 0) of TPM_SHA1 Update 
commands. 

The only commands that SHALL be presented to the TPM in-between a TPM SHA1 Start command 
a TPM_SHA1CompleteExtend command SHALL be a variable number (possibly. 0) of TPM_SHA1 Update 
commands. 
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8.2.1 TPM_SHA1 Start 




Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_0RD_SHA1 Start 


Outs 


foing ( 


)peraii 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG^RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


maxNumBytes 


Maximum number of bytes that can be sent to 
TPM_SHA1Update. Must be a multiple of 64 bytes. 



Description 

This capability prepares the TPM for a subsequent TPM_SHA1Update TPM_SHA1 Complete or 
TPM_SHA1CompleteExtend command. The capability SHALL open a thread that calculates a SHA-1 
digest. 
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8.2.2 TPIVI_SHA1 Update 




TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM^TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total numt)er of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM_0RD^SHA1 Update 


4 


4 






U)NT32 


numBytes 


The number of bytes in hashData. Must be a multiple of 64 
bytes. 


5 


<> 






BYTE[1 


hashData 


Bytes to be hashed 


Outc 


loing Operar 


ids an 


d Sizes 


PAHAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Description 

This command SHALL incorporate complete blocks of data Into the digest of an existing SHA- 
Only integral numbers of complete blocks (64 bytes each) can be processed. 
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8.2.3 TPM.SHAIC mpl te 




Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM^TAG^RQU.COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_0RD„SHA1 Complete 


4 


4 






UIKrr32 


hashOataSize 


Number of bytes in hashData, MUST be 64 or less 


5 


<> 






BYTE[1 


liashData 


Final bytes to be hashed 


Outs 


loing ( 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Descriptkm 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


20 






TCG.DIGEST 


hashValue 


The output of the SHA-1 hash. 



Description 

This command SHALL incorporate a partial or complete block of data into the digest of an existing SHA-1 
thread, and terminate that thread. hashDataSize MAY have values in the range of 0 through 64, inclusive. 
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8.2.4 TPM^SHAIC mpleteExtend 




Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


S2 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total nunr\ber of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of 
TPM_0RD.SHA1 CompleteExtend 


4 


4 






TCG_PCRINDEX 


pcrNum 


Index of the PGR to be modified 


5 


4 






UINT32 


hashDataSize 


Number of bytes in hashData, MUST be 64 or less 


6 


<> 






BYTEll 


hashData 


Final bytes to be hashed 


Outs 


|olng ( 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM.TAG^RSP.COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation . See section 4.3. 


4 


20 






TCG.DIGEST 


hashValue 


The output of the SHA-1 hash. 


5 


20 






TCG.PCRVALUE 


outDigest 


The PGR value after execution of the command. 



Description 

This command SHALL incorporate a partial or complete block of data into the digest of an existing SHA-1 
thread. EXTEND the resultant digest into a PGR, and terminate the thread. hashDataSize MAY have 
values in the range of 0 through 64. inclusive. 
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8.3 Key Certification 
8.3.1 TPM_CertifyKey 




Type 

TCG protected capability; user must authorize the use of key pointed to by idHandle and the key pointed 
to by keyHandle. 
incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


n 


SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG_RQU.AUTH2_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSize and 
tag 


3 


4 


1s 


4 


TCG.COIVIMAND.CODE 


ordinal 


Command ordinal, fixed at TPM_ORD_CertifyKey 


4 


4 






TCG.KEY.HANDLE 


certHandie 


Handle of the key to be used to certify the key. 


5 


4 






TCG_KEY_HANDLE 


keyHandle 


Handle of the key to be certified. 


6 


20 


2s 


20 


TCG.NONCE 


antiReplay 


160 bits of externally supplied data (typically a nonce 
provided to prevent replay-attacks) 


7 


4 






TCGJMJTHHANDLE 


certAuthHandle 


The authorization handle used for certHandte. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


8 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with 
certAuthHandle 


9 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


10 


20 






TCG_AUTHDATA 


certAuth 


The authorization digest for inputs and certHandie. 
HMAC key: certKey.auth. 


11 


4 






TCG_AUTHHANDLE 


keyAuthHandie 


The authorization handle used for the key to be signed. 






2h2 


20 


TCG.NONCE 


keylastNonceEven 


Even nonce previously generated by TPM 


12 


20 


3h2 


20 


TCG.NONCE 


keynonceOdd 


Nonce generated by system associated with 
keyAuthHandie 
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13 


) 


4h2 


1 


BOOL 


continueKeySession 


The continue use flag for the authorization handle 


14 


20 






TCG_AUTHDATA 


keyAuth 


The authorization digest for the inputs and key to be 
signed. HMAC key: key.usageAuth. 



Outgoing Operands and Sizes 



Param 


HMAC 


Type 


Name 


Descriffdon 


# 


Sz 


# 


Sz 


4 

1 


0 






TCG^TAG 


tag 


TPM^TAG_RSP_AUTH2_C0MMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and 
tag 


3 


4 


IS 


4 


TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 






£S 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal TPM_ORD_CertifyKey 


4 


95 


3s 


95 


TC»b_L/bK I lrY_1NrU 


certifylnfo 


The certifylnfb structure that corresponds to the 
signed key. 


5 


4 


4s 


4 


U1NT32 


outDataSIze 


The used size of the output area for outData 


6 


<> 


5s 


<> 


BYTE[] 


outData 


The signed public key. 


7 


20 


2hi 


20 


TCG^NONCE 


nonceEven 


Even nonce newly generated by TPM 






3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with 
certAuthHandle 


8 


1 


4 HI 


1 


BOOL 


contlnueAuthSessbn 


Continue use flag for cert key session 


9 


20 




20 


TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters 
and parentHandle. HMAC key: certKey -> auth. 


10 


20 


2h2 


20 


TCG_NONCE 


keyNonceEven 


Even nonce newly generated by TPM 






3h2 


20 


TCG_NONCE 


keynonceOdd 


Nonce generated by system associated with 
keyAuthHandle 


11 


1 


4h2 


1 


BOOL 


continueKeyAuthSession 


Continue use flag for target key sessbn 


12 


20 






TC6JVUTHDATA 


keyAuth 


The authorization digest for the target key. HMAC 
key: key.auth. 



Actions 

1. The TPIVI validates that the l^ey pointed to by certHandle has a signature scheme of 
TCG_SS_RSASSAPKCS1 v1 5.SHA1 . 

2. The TPM verifies the authorization In certAuthHandle provides authorization to use the key pointed to 
by certHandle. 

3. The TPM verifies the authorization in keyAuthHandle provides authorization to use the key pointed to 
by keyHandle. 

4. If the key pointed to by certHandle is an identity key (certHandle:TCG_KEY -> keyUsage Is 
TPM_KEYJDENTITY), the TPM verifies that the key pointed to by keyHandle is a non-migratory key. 

5. The TPM SHALL create a c1 a TCG.CERTIFYJNFO (defined in section 4.28) structure from the key 
pointed to by keyHandle. 

6. The TPM calculates the digest of the (public key) keyHandle -> pubKey -> key and stores it in the c1 - 
> pubkeyDigest. 
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7. The TPM copies the antiReplay parameter to the TCG.CERTIFYJNFO c1 -> data. 

8. If pcrlnfoSize is not 0 for the key pointed by IceyHandle, 

a. The TPM MUST set c1 -> pcrlnfoSize to match the pcrlnfoSize from the keyHandle key. 

b. The TPM MUST set c1 -> pcrlnfo to match the pcrlnfo from the keyHandle key. 

c. The TPM MUST set c1 -> digestAtCreation to 20 bytes of 0x00. 

9. if pcrinfoSize is 0 for the key pointed to by keyHandle 

a. The TPM MUST set c1 -> pcrlnfoSize to 0 

10. The TPM creates ml , a message digest formed by taking the SHA1 of c1 . 

11 . The TPM then perfomis a signature using certHandle -> sigScheme, The resulting signed blob is 
returned in outData. 
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8.4 TPM Int rnal Asymmetric Encryption 




leWc-keir^^^^^^^^^^^^gp^ffn^ 
^tie^k!S^^^^^^^^^^^^#olutionf 




The TPM MUST check that the encryption scheme defined for use with the key Is a valid schenne for the 
key type, as follows: 



Key algorithm : 


^Approved schemes. v ' - . . 


Scheme Value . . 


TCG ALG RSA 


TCG ES NONE 


0x0001 


TCG ES RSAESPKCSV15 


0x0002 


TCG ES RSAESOAEP SHA1 MGF1 


0x0003 



For a TPM^UNBIND command where the parent key has pubKey.algorithmId equal to TCG_ALG_RSA 
and pubKey.encScheme set to TCG_ES_RSAESPKCSv15 the TPM SHALL NOT expect a 
PAYLOAD_TYPE stmcture to pre-pend the decrypted data. 

The TPM MUST perfonm the encryption or decryption in accordance with the specification of the 
encryption scheme, as described below. 

When a null temninated string is included in a calculation, the tenminating null SHALL NOT be Included in 
the calculation. 
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8.4.1 TCG_ES_RSAESOAEP_SHA1_MGF1 

The encryption and decryption MUST be performed using the scheme RSA_ES_OAEP defined in [PKCS 
#1v2.0: 8.1] using SHA1 as the hash algorithm for the encoding operation. 

1. Encryption 

a. The OAEP encoding P parameter MUST be the NULL terminated string "TCG". 

b. If there is an error with the encryption the TPM must retum the error 
TCG_ENCRYPT_ERROR. 

2. Decryption 

a. The OAEP decoding P parameter MUST be the NULL tenninated string TCG". 

b. If there is an enror with the decryption, the TPM must return the error 
TCG_DECRYPT_ERROR. 

8.4.2 TCG_ES_RSAESPKCSV15 

The encryption MUST be perfonrned using the scheme RSA_ES„PKCSV1 5 defined in [PKCS #1v2.0: 
8.1]. 

1 . Encryption 

a. If there is an enror with the encryption, retum the error TCG_ENCRYPT_ERROR. 

2. Decryption 

a. If there is an enror with the decryption, retum the emjr TCG_DECRYPT_ERROR. 

8.5 TPM Internal Digital Signatures 




The TPM MUST check that the signature scheme defined for use with the key is a valid scheme for the 
key type, as follows: 



Key algorithm ■ 


■ Approved^ sche^mes^^ ^/.Cy- yj-.:;yjy^ ':0,l/<f. ^ 


Scheme, Value ^ 


TCG„ALG_RSA 


TCG_SS_NONE 


0x0001 




TCG_SS_RSASSAPKCS1 v1 5_SHA1 


0x0002 




TCG,SS_RSASSAPKCS1 v1 5_DER 


0x0003 



The TPM MUST perform the signature or verification in accordance with the specification of the signature 
scheme, as described below. 

8.5.1 TCG_SS_RSASSAPKCS1v15_SHA1 

The signature MUST be perfomied using the scheme RSASSA-PKCS1-v1.5 defined in [PKCS #1v2.0: 
8.1] using SHA1 as the hash algorithm for the encoding operation. 

8.5.2 TCG_SS_RSASSAPKCS1v15_DER 
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The signature MUST be performed using the scheme RSASSA-PKCS1-v1. 5 defined in [PKCS #1v2.0: 
8.1]. The caller must properly format the area to sign using the DER rules. The provided area maximum 
size is k'^ 1 octets. 



TPM_Sign SHALL be the only TPM capability that is permitted to use this signature scheme. If a 
capability other than TPM_Sign is requested to use this signature scheme, it SHALL fail with the error 
code TCG INAPPROPRIATE_SIG 



8.6 HMAC Calculation 




The TPM MUST support the calculation of an HMAC according to RFC 2104. 

The size of the key (K in RFC 2104) MUST be 20 bytes. The block size (B in RFC 2104) MUST be 64 
bytes. 

The order of the parameters is critical to the TPM's ability to recreate the HMAC. Not ail of the fields are 
sent on the wire for each command for instance only one of the nonce values travels on the wire. The 
order of the parameters is set by section 0. 

Each function indicates what parameters are involved in the HMAC calculation. 
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8.7 Digital Signatures 

8.7.1 TPM^SIgn 




Type 

TCG protected capability; user must provide autliorization to use the keyHandle parameter. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


U 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQUJVUTH1.C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_0RD_Sign. 


4 


4 






TCG_KEY.HANDLE 


keyHandle 


The keyHandle klentifier of a loaded key that can perform 
digital signatures. 


5 


4 


2s 


4 


UINT32 


areaToSignSize 


The size of the areaToSign parameter 


6 


<> 


3s 


<> 


BYTEQ 


areaToSign 


The value to sign 


7 


4 






TCGJVUTHHANDLE 


authHandle 


The authorization handle used for keyHandle 
authorization 






2 Ml 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


10 


20 






TCG_AUTHDATA 


privAuth 


The authorizatbn digest that authorizes the use of 
keyHandle. HMAC key: key.usageAuth 


Outs 


|oing ( 


)peran( 


is and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG_RSPJVUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


Is 


4 


TCG_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Sign. 


4 


4 


3s 


4 


Uim*32 


sigStze 


The length of the returned digital signature 


5 


<> 


4s 


<> 


BYTE(] 


sig 


The resulting digital signature. 


6 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is stBi active 
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1 TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 


8 


20 1 


HMAC key: key.usageAuth 



. Description 

The TPM MUST support all values of areaToSignSize that are legal for the defined signature scheme and 
key size The maximum value of areaToSignSize is determined by the defined signature scheme and key 
size In the case of PKCS1v15_SHA1 the areaToSignSize MUST be TCG^DIGEST (the hash size of a 
shai operation - see 8.5.1 TCG^SS_RSASSAPKCS1v15_SHA1). In the case of PKCS1v15_DER the 
maximum size of areaToSign is k-11 octets, where k is limited by the key size (see 8.5.2 
TCG.SS.RSASSAPKCS1 v1 5_DER). 

Actions 

1 . If the areaToSignSize is 0 the TPM returns TCG_BAD_PARAMETER. 

2. The TPM validates the authorization to use the key pointed to by keyHandle. 

3. Validate that keyHandle -> keyUsage is TPM_KEY_SIGN or TPM_KEY_LEGACY, if not retum the 
error code TCGJNVALID.KEYUSAGE 

4. The TPM verifies that the signature scheme used by the key referenced by keyHandle is a valid and 
supported signature scheme. 

5. The TPM verifies that the signature scheme and key size can property sign the areaToSign 
parameter. 

6. The TPM computes the signature, sig. using the key referenced by keyHandle. using with areaToSign 
as the information to be signed 
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8.7.2 TSS^VerlfySlgnature 




Versi n 1.1a 1 Setember 2001 



TCG Main Speciftcatton 



Page 204 



8.8 Random Numbers 




Version 1.1a 1 Setember2001 



TCG Main Specification 



Page 205 



8.8.1 TPM GetRandom 




Type 

TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND^CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_GetRandom. 


4 


4 






UINT32 


bytesRequested 


Number of bytes to return 



Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP„COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The retum code of the operation. See section 4.3. 


4 


4 






UINT32 


randomBytesSize 


The number of bytes retumed 


5 


<> 






BYTE[1 


randomBytes 


The retumed bytes 



Actions 

1 . The TPhA determines if amount bytesRequested is available from the TPM. 

2. Set randomBytesSize to the number of bytes available from the RNG. This number MAY be less than 
randomBytesSize. 

3. Set randomBytes to the next randomBytesSize bytes from the RNG 

4. It Is RECOMMENDED that a TPM implement the RNG in a manner that would allow it to return RNG 
bytes such that the frequency of bytesRequested being less than the number of bytes available be a 
infrequent occurrence. 
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8.8.2 TPM_StlrRand m 




Type 

TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


n 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_C0MMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM.ORD.StirRandom 


4 


4 






UINT32 


dataSize 


Number of bytes of input (<256) 


5 


<> 






BYTE[] 


inData 


Data to add entropy to RNG state 


Out£ 


|oing ( 


Dperar 


ids and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Actions 

The TPM updates the state of the current RNG using the appropriate mixing function. 
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8.9 Self Test 



Stsid of infarmaSye cpmm^nB 




At startup, a TPM MUST self-test all internal functions that are necessary to do TPM_SHA1 Start. 
TPM_SHA1 Update, TPM_SHA1 Complete, TPM_SHA1 CompleteExtend. TPM_Extend. TPM_Startup, 
TPM_ContinueSelfTest. This process MUST take 20ms or less. 

TSC commands do not operate on shielded locations and have no requirement to be self tested before 
any use. TPM's SHOULD test these functions before operation. 

Some internal functions MUST be tested before the TPM responds to any capability (see 10.8.1). Some 
internal functions SHOULD be tested before the TPM responds to any capability (see 10.8.2). 

If self test has failed, the TPM SHALL respond to all commands (except the update commands) with the 
error code TCG_FAILEDSELFTEST (see 10.8.3). 

If the functions used by a capability have not been tested, TPM_ContinueSelfTest is executed 
automatically after that capability is called and before it is executed. 
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8.9.1 TPM^SelfTestFull 




Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Nam 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCG_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_SelfTestFull 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramStze 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Actions 

1 . TPM^SelfTestFull SHALL cause a TPM to perform self-test of each TPM internal function. 

2. Failure of any test results in overall failure, and the TPM goes into failure mode. 
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8,9.2 TPM_CertlfySelfT st 




Type 

TCG protected capability; user must provide authorization to use the keylHandle parameter. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


DescripUon 


n 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


lag 


TPM_TAG.RQU_AUTH1_C0I\4MAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


Is 


4 


TCG_COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_CertlfySetfTest 


4 


4 






TC6_KEY_HANDLE 


IceyHandle 


The tceyHandie identifier of a loaded key that can perfomi 
digital signatures. 


5 
6 


20 


2s 


20 


TCG_NONCE 


antlReplay 


AnitReplay nonce to prevent replay of messages 


4 






TCG_AUTHHANDLE 


authHandle 


The authorization handle used for l^eyHandle 
authorization 






2hi 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated witti authHandle 


8 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


9 


20 






TCG_AUTHDATA 


privAuth 


The authorization digest that authorizes the inputs and 
use of keyHandle. HMAC key: key.usageAuth 


Outs 


lolng ( 


)peran( 


is and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG^RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG^COMMAND.CODE 


ordinal 


Command ordinal: TPM.ORD.CertifySelfTest 


4 


4 


3s 


4 


UINT32 


sigSIze 


The length of the returned digital signature 


5 


<> 


4s 


<> 


BYTE[] 


sig 


The resulting digital signature. 


6 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 
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3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4 HI 


1 


BOOL 


continueAuttiSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned paranietefs. 
HMAC key: key.usageAuth 



Description 

The key in IceyHandle MUST have a KEYUSAGE value of type * TPM_KEY.SIGNING or 
TPM_KEY_LEGACY or TPM^KEYJDENTITY. 

Information returned by TPM_CertifySelfTest MUST NOT aid identification of an individual TPM. 
Actions 

1. The TPM SHALL perfonn TPM.SelfTestFull. If the test fails the TPM returns the appropriate error 
code. 

2. After successful completion of the self-test the TPM then validates the authoi-izatlon to use the key 
pointed to by keyHandle. 

3. Create t1 the null terminated string of "Test Passed" 

4. The TPM creates m2 the message to sign by concatenating t1 || AntiReplay || ordinal. 

5. The TPM signs m2 using the key identified by keyHandle, and returns the signature as sig. 
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8.9.3 TPM_C ntinueS IfTest 



Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 




Type 


Name 


Des^ption 


# 


SZ 




SZ 


1 


2 






TCG.TAG 


tag 


TPM_TA6_RQU.C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_C0MMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM.ORD.ContinueSelfTest 


Outfi 


|oing ( 


Dperar 


Ids an 


d Sizes 


PARAM 




Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Actions 

TPM_ContinueSelfTest SHALL cause the TPM to do all self-tests that are outstanding, since startup. It 
SHALL immediately respond to the caller with a return code. When TPM.ContinueSelfTest finishes 
execution, it SHALL NOT respond to the caller with a retum code. 

The TPM SHALL unilaterally execute the functions of TPM_ContinueSelfTest upon receipt of a command 
that calls a capability-X that uses untested TPM functions. If the self-test fails, the TPM SHALL retum the 
error code TCG.FAILEDSELFTEST. If the self-test passes, the TPM SHALL execute capability-X. 
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8.9.4 TPM GetTestResult 




Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descriptton 


# 


SZ 


# 


SZ 






1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU.COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM.ORD.GetTestResutt 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Descriptton 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG^RSP.COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


outDataSize 


The size of the outData area 


5 


<> 






BYTEO 


outData 


The outData this Is manufacturer specific 



Actions 

The TPM SHALL respond to this command with a manufacturer specific block of Information that 
describes the result of the latest self test. 

The information MUST NOT contain any data that uniquely identifies an individual TPM. 
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8.10 Reset and Clear Operations 




The TPM MUST support the reset operation. The reset operation clears all handles, authorization 
sessions and volatile state machines. The reset MUST NOT affect the SRK, PGR and flags such as the 
flag set by TPM_DisableForceClear. 

The TPM MUST support the clear operations. The clear operation MUST perfomi the following actions: 

• Perform a reset operation 

• Delete the SRK 

• Reset all non-volatile values to factory default except the endorsement key pair 

• Return TCG_NOSRK until there is a proper execution of tiie ownership function 

The TPM MUST support disabling the clear operations. After execution of the TPM_DisableOwnerCIear 
the TPM MUST require physical access to execute the TPM_ForceClear. The TPM MUST support the 
TPM_DisableForceClear to disable the TPM_ForceClear command. The TPM_DlsableForceClear 
command MUST execute on each startup cycle to be effective. 
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Type 

TCG protected capability. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


n 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG.RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total numt>er of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Reset. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






U1NT32 


paramSize 


Total numt)er of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The retum code of the operation. See section 4.3. 



Actions 

1 . The TPM frees all resources allocated to authorization sessions extant in the TPM 

2. The TPM does not reset any PGR or DIR values. 

3. The TPM does not reset any flags in the TCG_VOLATILE_FLAGS stmcture. 

4. The TPM does not reset or delete any keys 
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8.10.2 TPMJnIt 




Definition 

TPM Init 0 ; 



Type 

TCG protected capability that requires physical indication from the platform 

Parameters 

None 

Description 

The platform MUST be designed such that if the TPMJnit signal is asserted the entire Platform MUST be 
initialized. This prevents, at least with a minimum effort, someone touching the TPMJnit pin on the TPM 
and resetting only the TPM. A TPM MUST perform the actions of TPMJnit in response to a valid 
stimulus, but MAY otherwise deny existence of TPMJnit. Thus a TPM would execute TPM_lnit on receipt 
of an electrical signal, but might return the code TCG_BAD_ORDINAL in response to inappropriate 
software attempts to execute TPMJnit, and might not provide the means to audit TPMJnit, for example 

The TPMJnit signal MUST have signaling qualifications appropriate for the required conformance and 
Protection Profile for the Platfonn. 

Actions 

1 . The TPM performs a TPM_Reset. 

2. The TPM sets TCG_VOLATILE_FLAGS -> postlnitialise to TRUE. See 0 for details of the 
"postlnitialise" state. 
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8.10.3 TPM Sav State 




Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RaU_COMMAND 


2 


4 






UINT32 


paramSize 


Total numt)er of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM.ORD^SaveState. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Descriptton 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG„RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Description 

Preserved values MUST be non-volatile. 

If data is never stored in a volatile medium, that data MAY be used as preserved data. In such cases, no 
explicit action may be required to preserve that data. 

if an explicit action is required to preserve data, it MUST be possible to determine whether preserved 
data is valid. 

If the parameter mirrored by a preserved value is altered, the preserved value MUST be declared invalid. 
If the parameter mirrored by any preserved value is altered, all preserved values MAY be declared 
invalid. 

Actions 

1 . The contents of all PCRs MUST be preserved. 

2. The contents of the auditDigest MUST be preserved. 

3. The state of the flags: 

I. TCG_VOI-ATILE__FLAGS -> PhysicalPresence 
ii. TCG_VOI_ATILE_FLAGS -> PhysicalPresenceLock 
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iii. TCG_VOLATILE_FLAGS -> deactivated 

iv. TCG_VOLATILE_FLAGS -> disableForceClear 
MUST be preserved. 

4. The contents of any key that is cun-ently loaded SHOULD be preserved if the l<ey's parentPCRStatus 
indicator is FALSE and its IsVolatile indicator is FALSE. The contents of any key that is currently 
loaded MAY be preserved if its parentPCRStatus indicator is TRUE or its IsVolatile indicator is TRUE. 
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8.10.4 TPM^Startup 




Type 



TCG protected capability 
Incoming Operands and Sizes 



PARAM 




Type 


Name 


Oescnptibn 


# 


SZ 




SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Startup 


4 


2 






TCG_STARTUP_TfPE 


startupType 


Type of startup that is occumng 


Outc 


loing ( 


Dperar 


ids and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG.RSP.COIWMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes Including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operatbn. See section 4.3. 



Description 

TPM_Startup MUST be generated by a trusted entity (the RTM or the TPM. for example). 
Actions 

1. If TCG_VOLATILE_FLAGS -> postlnitialise is FALSE, the TPM MUST return 
TCGJNVALID_POSTINIT, and exit this capability. 

2. If stType = TCG_ST_CLEAR 

a. Reset PCR's 

b. Reset the auditDlgest 
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c. The TPiy/l Must set the following flags to their default state: 

i. TCG_VOLATILE_FLAGS -> PhysicalPresence 

11. TCG_VOLATILE„FI-AGS -> PhysicalPresenceLock 

ill. TCG_VOLATILE_FLAGS -> disablePorceClear 

d. The TPM SHALL set TCG_VOLAT[LE_FLAGS -> deactivated to the same state as 
TCG_PERSISTENT_FLAGS -> deactivated 

e. The TPM SHALL take all necessary actions to ensure that all loaded keys contain the 
preserved value If the preserved value Is valid and the preserved value's parentPCRStatus 
indicator is FALSE and its IsVolatile Indicator Is FALSE. All other key areas MUST be 
unloaded. If the TPM is unable to successfully complete these actions, it SHALL enter the 
TPM failure mode. 

3. If stType = TCG_ST_STATE 

a. The TPM SHALL take all necessary actions to ensure that all PCRs contain valid preserved 
values. If the TPM is unable to successfully complete these actions, it SHALL enter the TPM 
failure mode. 

b. The TPM SHALL take all necessary actions to ensure that the auditDigest contains a valid 
preserved value. If the TPM is unable to successfully complete these actions, it SHALL enter 
the TPM failure mode. 

c. The TPM MUST restore the following flags to their preserved states: 

i. TCG_VOLATILE_FLAGS -> PhyslcalPresence 

11. TCG_VOLATlLE_FLAGS -> PhysicalPresenceLock 

iii. TCG_VOLATILE_FLAGS -> deactivated 

iv. TCG_VOLATILE_FLAGS -> disableForceClear 

d. The TPM MUST restore all keys that have been saved 

e. The TPM resumes nomnal operation. If the TPM is unable to resume normal operation, it 
SHALL enter the TPM failure mode. 

4. If StType = TCG_ST_DEACTiVATED 

a. The TPM MUST set TCG_VOLATILE_FLAGS -> deactivated to TRUE 

5. The TPM MUST invalidate any explicitly preserved state and set TCG_VOLATILE_FLAGS -> 
postlnitialise to FALSE. 
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8.10.5 TPM_OwnerClear 




TCG protected capability; user must provide auttiorization as the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of Input bytes including paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerClear 


4 


4 






TCG_AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2 HI 


20 


TCG.NONCE 


ButhLastNonceEven 


Even nonce previously generated by TPM to cover 
Inputs 


5 


20 


3 HI 


20 


TCG^NONCE 


nonceOdd 


Nonce generated by system associated wHh authHandle 


6 


1 


4 HI 


1 


BOOL 


oontinueAuthSession 


Ignored 


7 


20 






TCGJ^UTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outs 


|oing ( 


3peran< 


is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_C0MMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerClear 


4 


20 


2 HI 


20 


TCG_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 HI 


1 


BOOL 


oontinueAuthSession 


Fixed value FALSE 


6 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the retumed parameters. 
HMAC key: old ownerAuth. 



Actions 

1 . The TPI\4 verifies that the authHandle properly authorizes the owner. 

2. After owner verification the TPM then checks the status of the TCG_PERSISTENT_FLAGS 
DisableOwnerClear flag, if set the TPM returns TCG_CLEAR_DISABLED. 
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3. The TPM executes the TPM_Reset command. The TFM then destroys the SRK and any internal data 
associated with the SRK. The TPM then destroys the TPM Ownership data. 

4. The TPM unloads ail loaded keys. 

5. The TPM sets all DIR registers to their default value. 

6. The TPM sets TCG_PERSISTENT_FLAGS to their default values. 

7. The result will be no Owner or SRK and the TPM is set to the state where it returns TCG_NOSRK. 
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8.10.6 TPM_DisableOwnerClear 




Type 

TCG protected capability; user must provide authorization as the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descriptton 


# 


SZ 


# 1 


SZ 


1 


2 






TCG_TAG 


tag 


TPM.TAG_RQU_AUTH1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total numt)er of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DisableOwnerClear 


4 


4 






TCGJVUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2 HI 


20 


TCG_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


5 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


7 


20 






TCG^AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outs 


oingC 


)peran( 


Jsand 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


n 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM^ORD.DisableOwnerClear 


4 


20 


2 HI 


20 


TCG.NONCE 


nonoeEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag. TRUE if handle is still active 


6 


20 






TCG_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Actions 

1 . The TPM verifies that the authHandle properly authorizes the owner. 

2. The TPI^ sets the TCG_PERSISTENT_FLAGS -> dlsableownerclear flag to TRUE. 

3. The only mechanism that can clear the TPM is the TPM.ForceClear command. The TPM_ForceClear 
command requires physical access to the TPM to execute. 



Versi nl.la 1 S tember2001 



TCG Main Specification 



Page 223 



8.10.7 TPM_F rceClear 




TCG protected capability; there must be some evidence of physical access to the platfonm present for the 
TPM to verify. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM.ORD.ForceClear 


Outs 


|olng ( 


}perar 


ids and Sizes 


PARAM 


HMAC 


Type 


Name 


Descnjpf/on 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The retum code of the operation. See section 4.3. 



Actions 

1. The TPM checks for a prior execution of the TPM_DisableForceClear command. If executed, the 
TPM will retum TCG_CLEAR_DISABLED. 

2. After verification of physical access, the TPM perfomns a clear operation that has the same result as 
the TPM_OwnerClear. After execution the result of this command is exactly like the 
TPM_OwnerClear. 

3. The implementation of the physical access requirement is a manufacturer option. The evidence of 
physical access could be done by setting a pin high on a chip, or by sending special bus cycles or by 
any other mechanism that provides evidence of physical access. 
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8.10.8 TPM.DisableForceClear 



Type 

TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HA/IAC 


Type 


Name 


Description 


n 




# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG,RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_DisableForceClear 


Outg 


|olng ( 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Actions 

The TPM sets the TCG^VOU\TlLE_FLAGS.disableforceclear flag in the TPM that disables the execution 
of the TPM^ForceCIear command. 
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8.11 The GetCapability Commands 




The TPM MUST NOT return in response to tlie GetCapability command any information that identifies an 
individual TPM. 
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8.11.1 TPM.GetCapiability 
Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_C0Mfi4AND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMI^D.CODE 


ordinal 


Command ordinal: TPM_ORD_GetCapabillty 


4 


4 






TCG^GAPABIUTY_AREA 


capArea 


Partition of capabilities to be interrogated 


5 


4 






UINT32 


subCapSize 


Size of subCap parameter 


6 


<> 






BYTEQ 


subCap 


Further definition of information 


Outs 


[Oing ( 


Speran 


ids and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


n 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG.RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


respSize 


The length of the returned capabBity response 


5 


<> 






BYTE[1 


resp 


The capability response 



Actions 

The TPM validates the capArea and subCap indicators. If the infomiatlon Is available, the TPM creates 
the response field and fills in the actual information. 



CapArea 


subCap 


Response 


TCG_CAP_ORD 


ORDINAL: 

A value of command 
ordinal : 
see 4.33 


Boolean value. TRUE indicates that 
the TPM supports the ordinal. 
FALSE indicates that the TPM does 
not support the ordinal. 


TCG„CAP_ALG 


TCG_ALG_XX : 
A value of 
TCG_ALGORITHM_ID: 
see 4.15 


Boolean value. TRUE indicates that 
the TPM supports the algorithm. 
FALSE indicates that the TPM does 
not support the algorithm. 


TCG_CAP_PID 


TCG_PID: 

A value of 

TCG PROTOCOL_ID: 

See 4.15 


Boolean value. TRUE indicates that 
the TPM supports the protocol, 
FALSE indicates that the TPM does 
not support the protocol. 


TCG_CAP_PROPERTY 


T PM_CAP_PROP_PCR 


UINT32 value. Retums the number 
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of PGR registers supported by the 
TPM 


TCG_CAP_PRUrcRTY 


TPM PAP PROP DTR 


UINT32 value. Returns the number 
of DIR registers supported by the 
TPM. 


TCG_CAP_PROPcR i Y 


TCfZ PAP PROP MANUFACTURER 


UINT32 value. Returns the Identifier 
of the TPM manufacturer. 


TCG_CAP_PROPERTY 


TCG_C AP_PRO P_S LOT S 


UINT32 value. Retums the 
maximum number of 2048 bit RSA 
keys that the TPM is capable of 
loading. This MAY vary with time 
and circumstances. 


TCG_CAP_VERSION 


Ignored 


Retums the TCG_VERSION 
structure that identifies the version 
of the TPM. See 4.5 


TCG_CAP_KEY_HANDLE 


Ignored 


A TCC^ KFY HANDLE LIST 
structure, describing the handles of 
all keys that are cun-ently loaded 
into the TPM. See 4.9 


TCG CAP CHECK^LOADE 
D 


ALGORITHM: 

A value of TCG__KEY_PARMS : 
see 4.15 


A Boolean value. TRUE indicates 
that the TPM has enough memory 
available to load a key of the type 
specified by ALGORITHM. FALSE 
indicates that the TPM does not 
have enough memory. 



The permitted values of TCG_CAP_PROP_MANUFACTURER and their meaning SHALL be defined ii 
platform specific TCG specifications. 



0x00000101 
0x00000102 
0x00000103 
0x00000104 



IDL Definitions of subCap 

#define TCG_CAP_PROP_PCR 
fdefine TCG_CAP_PROP_DIR 
tdefine TCG_CAP_PROP_MANUFACTURER 
#define TCG CAP_PROP_SLOTS 
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Type 

TCG protected capability; tlie user must supply authorization to use of parameter keyHandle 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetCapabilitySigned 


4 


4 






TCG_KEY_HANDLE 


keyHandle 


The handle of a loaded key that can perform digital 
signatures. 


5 


20 


2s 


20 


TCG_NONCE 


antiReplay 


Nonce provided to allow caller to defend against replay of 
messages 


6 


4 


3s 


4 


TCG.CAPABILITY.AREA 


capArea 


Partition of capabilities to be interrogated 


7 


4 


4s 


4 


U1NT32 


subCapSize 


Size of subCap parameter 


8 


<> 


5s 


<> 


BYTEQ 


subCap 


Further definition of infomiation 


8 


4 






TCGJ^UTHHANDLE 


authHandle 


The authorization handle used for keyHandle 
authorization 






2hi 


20 


TGG^NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3 HI 


20 


TCG_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


11 


20 






TCG.AUTHDATA 


privAuth 


The authorization digest that authorizes the use of 
keyHandle. HMAC key: key.usageAuth 


0ut( 


joing < 


Dperan 


is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


n 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


1s 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 
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2s 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal: TPM.ORD.GetCapabaitySigned 


4 


4 


3s 


4 


TCG.VERSION 


versbn 


A property filled out version stmcture. 


5 


4 


4s 


4 


UINT32 


respSize 


The length of the returned capability response 


c 
D 


o 


OS 


<> 


BYTEfl 


resp 


The capability response 


7 


4 


6s 


4 


UINT32 


sigSize 


The length of the returned digital signature 


8 


<> 


7s 


<> 


BYTE[] 


sig 


The resulting digital signature. 


9 


20 


2hi 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4 HI 


1 


BOOL 


continueAuthSessbn 


Continue use flag, TRUE if handle is still active 


11 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuth 



Description 

The key in keyHandle MUST have a KEYUSAGE value of type TPM_KEY„SIGNING or 
TPM_KEY_LEGACY or TPM^KEYJDENTITY. 

Actions 

1. The TPM calls TPM_GetCapabllity passing the capArea and subCap fields and saving the resp field 
as r1. 

2. The TPM creates h1 by taking a SHA1 hash of the concatenation (r1 || antiReplay). 

3. The TPM validates the authority to use keyHandle 

4. The TPM creates a digital signature of h1 using the key in keyHandle and returns the result in sig. 
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8.11.3TPM_GetCapabilityOwn r 




Type 

TCG protected capability; user must provide autlientication from the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


S2 


# 


SZ 




1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_AUTH1^C0MMAND 


2 


4 






UINT32 


paramSize 


Total numt)er of input bytes induding paramSize and tag 


3 


4 


1s 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD.GelCapbflityOwner 


4 


4 






TCGJMJTHHANDLE 


authHandle 


The authorization handle used for Owner authorization. 






2hi 


20 


TCG_NONCE 


authl^stNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


5 


20 


3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4hi 


1 


BOOL 


continueAutliSession 


The continue use flag for the authorization handle 


7 


20 






TCG_AUTHDATA 


ownerAuth 


The authorization digest for Inputs and owner 
authorization. HMAC key: OwnerAuth. 


Outs 


|Oing( 


)peran( 


is and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM.TAG_RSP_AUTH1_C0MMAND 


2 








UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 




Is 


4 


TCG_RESULT 


retumCode 


The rehjm code of the operation. See section 4.3. 


4 




2s 


4 


TCG.VERSION 


version 


A properly filled out version structure. 


5 




3s 


4 


UINT32 


non_voiatile_flags 


The current state of the non-volatile flags. 


6 




4s 


4 


UINT32 


volatile.flags 


The current state of the volatile flags. 


7 


20 


2hi 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 
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8 


1 


4 HI 


1 


BOOL 


continueAuthSesston 


Continue use flag. TRUE if handle is still active 


9 


20 






TCG_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: OwnerAuth. 



Description 
For31>=N>=0 

• BIt-N of the TCG_PERSISTENT_F1_AGS structure is the Nth bit after the opening bracket in the 
definition of TCG_PERSISTENT_FLAGS in the version of the specification indicated by the 
parameter "version". The bit immediately after the opening bracl<et is the 0 bit. 

• Bit-N of the TCG_VOLATILE_FIJVGS structure is the Nth bit after the opening bracket in the 
definition of TGG_VOLATILE_FI-AGS in the version of the specification indicated by the 
parameter "version". The bit immediately after the opening bracket is the 0 bit. 

• Bit-N of non_volatile_f!ags con-esponds to the Nth bit in TCG^PERSISTENT^FLAGS, and the Isb 
of non_volatile_flags corresponds to bitO of TCG_PERSISTENT_F1-AGS 

• Bit-N of volatile Jags con-esponds to the Nth bit in TCG_VOLATILE_FLAGS. and the Isb of 
volatile Jags corresponds to bitO of TCG_VOLATILE_FLAGS 

Actions 

1 . The TPM validates that the TPM Owner authorizes the command. 

2 The TPM creates the parameter non_volatiIe_flags by setting each bit to the same state as the 
con-esponding bit in TCG_PERSISTENT_FI_AGS. Bits in non_volatileJags for which there is no 
coresponding bit in TCG_PERSISTENT_FLAGS are set to zero. 

3 The TPM creates the parameter volatile Jags by setting each bit to the same state as the 
corresponding bit in TCG_VOLATILEJLAGS. Bits in volatile Jags for which there is no 
corresponding bit in TCG^VOLATILE JLAGS are set to zero. 

4. The TPM generates the parameter "version". 

5. The TPM returns non_volatileJags, volatile Jags and version to the caller. 
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8.12 Audit Commands 





ffniK^wiii 



^&ehe^^ 



Each command ordinal has an indicator in non-volatile TPM memory indicating if executing the command 
will result in the generation of an audit event. 

The audit event includes the command ordinal and the return code from the command. 

The digest value SHALL be SHA1 (previous value || command ordinal 1| return code). The digest value 

register SHALL have a starting value of NULLS. 

Updating of auditDigest MAY cease when TCG.VOLATILE^FLAGS -> deactivated is TRUE This is 
beSise a deactivated TPM performs no useful service until a platform is rebooted, at which point 
auditDigest is reset. 
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8.12.1 TPM^GetAuditEvent 




Type 

TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


DescrifsUon 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSIze 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetAuditEvenl 


Outg 


oingC 


)perar 


ds an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See sectton 4.3. 


4 


4 






TCG.COMMAND.CODE 


cmdOrd 


Last audited command executed 


5 


4 






UINT32 


cmdRetumCode 


Return code for cmdOrd 


6 


20 






TCG.DIGEST 


auditDigest 


Log of ail audited events 



Actions 

1 . The TPM sets cmdOrd to the ordinal of the last audited function. 

2. The TPM sets cmdRetumCode to the return code for the last audited function. 

3. The TPM sets auditDigest to the extended digest value of all audited functions. 
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8.12.2 TPM_GetAudltEventSigned 




Type 

TCG protected capability; user must provide authentication to use tiie key pointed to by keyHandle. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 






1 


2 






TCG.TAG 


tag 


TPM_TAG_RQUJ^UTH1.C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM.ORD^GetAuditEventSigned 


4 


4 






TCG_KEY_HANDLE 


keyHandle 


The handle of a loaded key that can perfomn digital 
signatures. 


5 


20 


2s 


20 


TCG.NONCE 


antiReplay 


A nonce to prevent antiReplay attacks 


6 


4 






TCG_AUTHHANDLE 


authHandle 


The authorization handle used for key authorization. 






2hi 


20 


TCG^NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


9 


20 






TCG.AUTHDATA 


keyAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: key.usageAuth. 



Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM.TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG^COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetAuditEventSfgned 


4 


4 


3s 


4 


TCG.COMMAND.CODE 


cmdOrd 


Last audited command executed 


5 


4 


4s 


4 


UINT32 


cmdRetumCode 


Retum code for cmdOrd 


6 


20 


5s 


20 


TCG.DIGEST 


auditDigest 


Log of all audited events 


7 


4 


6s 


4 


UINT32 


ordSize 


The size of the ordinal list 


8 


<> 


7s 


<> 


BYTED 


ordinalList 


The list of ordinals that are being audited 


9 


4 


8s 


4 


UINT32 


sigSize 


The size of the sig parameter 


10 


<> 


9s 


<> 


BYTED 


sig 


The signature of the area 


11 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 
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3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


12 


1 


4 HI 


1 


BOOL 


continueAutliSess 

ion 


Continue use flag, TRUE if handle is still active 


13 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned paranieters. 
HMAC Icey: key.usageAuth. 



Actions 

1 . The TPM sets cmdOrd to the ordinal of the last audited function. 

2. The TPM sets cmdRetumCode to the return code for the last audited function. 

3. The TPM sets auditDigest to the extended digest value of all audited functions. 

4. The TPM sets ordinalList to a list of all audited functions. This list is a UINT32 of command ordinals. 

5. Create a d1 by taking the SHA1 of (ordinal || cmdOrd || cmdRetumCode || auditDigest || ordinalList || 
antiReplay) 

6. Create a digital signature of d1 by using the signature scheme for keyHandle. 

7. Return the signature in the sig parameter 
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8.12.3 TPM_SetOrdinalAuditStatus 




Type 

TCG protected capability; the user must show authorization from the TPM Owner to execute the 



command. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descrip^on 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetOrdinalAudltStatus 


4 


4 


2s 


4 


TCG.COMMAND.CODE 


ordinalToAudit 


The ordinal whose audit flag is to be set 


5 


1 


3s 


1 


BOOL 


audltState 


Value for audit flag 


6 


4 






TCG_AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2hi 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


9 


20 






TCG.AUTHDATA 


ownerAuth 


The authorization digest for Inputs and owner 
authorization. HMAC key: ownerAuth. 


Outs 


foing ( 


)peranc 


is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCG^TAG 


tag 


TPM_TAG^RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


Is 


4 


TC6_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetOrdinalAuditStatus 


4 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is stBl active 


6 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Descriptions 



Actions 

1. The TPM authenticates the command using the TPM Owner authentication. If authentication 
unsuccessful the TPM retums TCG_FAIL. 
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2. The TPM sets the state of the non-volatile flag for the given ordinal to the Indicated state. The TPM 
also returns the state in the response. 
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8.12.4 TPM^GetOrdlnalAuditStatus 



» * 



mnformaUvB 




Qetthe.statu3 
End of informal 



Type 

TCG protected capability. 



PARAM 




Type 


Name 


Description 


n 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM,ORD_GetOrdinalAuditStatus 


4 


4 






TCG_COMMAND_CODE 


ordinalToQuery 


The ordinal whose audit flag is to be queried 


Outg 


joing Operaii 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize arul tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 








BOOL 


State 


Value of audit flag for ordinalToQuery 



Actions 

The TPM returns the Boolean value for the given ordinal. The value is TRUE if the command is being 
audited. 
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8.12.5 Effect f audit failing aft r suae ssful c mpletlon f a command 




When after successful completion of an operation, and in performing the audit process, the TPM has an 
internal failure (unable to write. SHA failure etc.) the TPM MUST set the intemal TPM state such that the 
TPM retums the TPM^FAILEDSELFTEST en-or. The TPM MUST retum TCG_AUDITFAILURE for the 
current command. 



If the TPM is permanently nonrecoverable after an audit failure, then the TPM MUST always return 
TPM^FAILEDSELFTEST for every command other than TPM_GetTestResult. This state must persist 
regardless of power cycling, the execution of TPMJnit or any other actions. 

If the TPM can recover in any way after the failure of an audit operation, then the TPM MUST take the 
actions stated in the following table after setting the failure state. 



Ordinal 


Effect when Audit Fails 


TPM ORD OIAP 


No action - session deleted on TPM INIT 


TPM ORD OSAP 


No action - session deleted on TPM INIT 


TPM_ORD_ChangeAuth 


No action - changed blob not returned so 
nothing to delete 


TPM_ORD_TakeOwnership 


TPM returns to state where there is no 
TPM Owner. 


TPM ORD ChangeAuthAsymStart 


No action - session deleted on TPM INIT 


TPM ORD ChangeAuthAsymFinish 


No action - session deleted on TPM INIT 


TPM_0RD_ChangeAuthOwner 


The TPM MUST revert back to the previous 
authorization value 






TPM_0RD_Extend 


Invalidate PCR by extending 20 bytes of 
0xa5 to the PCR 


TPM ORD PcrRead 


No action 


TPM ORD Quote 


No action 


TPM ORD Seal 


No action 


TPM_ORD_Unseal 


Ensure that unsealed data is made 
unavailable 


TPM__ORD_D i rWr i t eAu th 


Invalidate the DIR by writing 20 bytes 
of 0xa5 into the specified DIR 


TPM ORD DirRead 


No action 






TPM_ORD_UnBind 


Ensure that unbound data is made 
unavailable 


TPM_ORD_C reateWrapKey 


No action - key not returned in blob so 
TPM can just lose the new key 


TPM ORD LoadKey 


Ensure that the key is not available 


TPM ORD GetPubKey 


No action - nothing returned 


T PM_ORD_E V i c t K e y 


No action - key is evicted so no 
security issues 






TPM ORD CreateMigrationBlob 


No action - no blob returned 
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TPM QRD ConvertMigrationBlob 



No 



action - no blob returned 



TPM QRD AuthorizeMigrationKey 



No action - no blob returned 



T PM QRD CreateMaintenanceArchive 
TPM ORD LoadMaintenanceArchive 



No action - no blob returned 



Set the TPM internal state such that the 
TPM returns TPM_NOSRK, This requires the 
caller to resubmit the maintenance 
archive for it to be active. 



TPM ORD KillMaintenanceFeature 



No action 



TPM ORD LoadManuMaintPub 



TPM ORD ReadManuMaintPub 



The TPM returns to a state where no 
maintenance public key has been loaded 
No action - no blob returned 



TPM ORD CertifyKey 



No action - no blob returned 



TPM ORD Sign 



No action - no blob returned 



TPM ORD GetRandom 



No action - nothing returned 



TPM ORD StirRandom 



No action - RNG still secure 



TPM ORD SelfTestFull 



No action 



TPM ORD CertifySelfTest 



No action 



TPM ORD ContinueSelfTest 



No action 



TPM ORD GetTestResult 



No action 



TPM ORD Reset 



No action 



TPM ORD Owner Clear 



No action 



TPM ORD DisableOwnerClear 



No action 



TPM ORD ForceClear 



No action 



TPM ORD DisableForceClear 



No action 



TPM ORD GetCapabilitySigned 



No action 



TPM ORD GetCapability 



No action 



TPM QRD GetCapabilityOwner 



No action 



TPM ORD Owner Set Disable 



No action 



TPM ORD PhysicalEnable 



No action 



TPM ORD PhysicalDisable 



No action 



TPM ORD SetOwner Install 



No action 



TPM ORD PhysicalSetDeactivated 
TPM ORD SetTempDeactivated 



No action 



No action 



TPM ORD CreateEndorsementKeyPair 



This is a dead TPM. It has failed it's 
startup smoke test. It should not leave 
the factory floor. 



TPM ORD Makeldentity 



No action 
lost 



blob not returned so key is 



TPM ORD Activateldentity 



No action - credential not returned but 
blob is still available for the caller 
to resubmit to the TPM when it is 
functional ^ 



TPM ORD ReadPubek 



No action 



TPM ORD OwnerReadPubek 



No action 



TPM ORD DisablePubekRead 



No action 
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TPM ORD GetAuditEvent 


No action 


TPM ORD GetAudi tEventSigned 


No action 






TPM ORD GetOrdirialAuditStatus 


No action 


TPM ORD SetOrdinalAuditStatus 


No action 






TPM ORD T^"rminate Ha.ndl.e 


No action 


TPM ORD Tnit 


No action 


TPM ORD SaveState 


No action 


TPM_ORD_Startup 


No action - The TPM is disabled, all 
save states are invalidated so only non- 
volatile keys are left. 


TPM ORD SetRedirection 


No action 






TPM ORD SHAlStart 


No action 


TPM ORD SHAl Update 


No action 


TPM ORD SHAlComplete 


No action 


TPM ORD SHAlCompleteExtend 


No action 






T PM_ORD_F i e 1 dUp g r a de 


Set TCG PERSISTENT_FLAGS -> 
FailedFieldUpgrade to TRUE. This flag 
sets the disabled bit to TRUE on each 
TPM Init. The only way to set the 
FailedFieldUpgrade flag back to FALSE is 
to successfully complete a FieldUpgrade . 
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8.13 Enabling Ownership 




Versi n 1.1a IS t mber2001 



TCG Main Specification 



Page 243 



8.13.1 TPM.SetOwnerlnstall 
TS^c«eap*««^»-.™«b.»,ne»«.nce=.p^y3^. access p»s.r,.=.«TPM.ov,d„. 

Incoming Operands and Sizes 




Outgoing Operands and Sizes 



PARAM 



HMAC 



SZ 



Type 
TCGJTAG 



UINT32 



TCG.RESULT 



Name 



tag 



paramSize 



retumCode 



Description 
TPM_TAG_RSP_COMMAND 



Total number of output bytes including paramSize and tag 



The return code of the operation. See section 4.3. 



TTme TPM has a current owrter. this command immediately returns with TCG.SUCCESS^ 
• Te TPM validates the assertion of P^ysica. acces. The TPM then sets the value of 
TCG_PERSISTENT_FLAGS -> ownership to the value in state. 
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8.14 Enabling a TPM 
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8.14.1 TPM.OwnerSetDisable 
Type 

TCG protected capability; the TPIS/l Owner must provide authorization. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name , 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of Input bytes including paramSize and tag 


3 


4 


Is 


4 


TCG^COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerSetDisable 


4 


1 


2s 


t 


BOOL 


disableState 


Value for disable state - enable if TRUE 










TCG_AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce prevfously generated by TPM to cover 
inputs 


6 


20 


3 HI 


20 


TCG^NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4 HI 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


8 


20 






TGG_AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outg 


foing ( 


Dperanc 


Is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Descrjjpfran 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






U1NT32 


paramSIze 


Total number of output bytes induding paramSize and tag 


3 


4 


1s 


4 


TCG_RESULT 


retumCode 


The return code of the operatfon. See section 4.3. 






2s 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerSetDisable 


4 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TCGJVUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Action 

1. The TPM SHALL authenticate the command as coming from the TPM Owner. If unsuccessful, the 
TPM SHALL retum TCG_BAD_AUTH. 

2. The TPM SHALL set the TCG_PERSISTENT_FLAGS -> disable flag to the value in the disableState 
parameter. 
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8.14.2 TPM.PhyslcalDisable 
Type 

TCG protected capability; there nnust be some evidence of physical access present for the TPM to verify. 



Incoming Operands and Sizes 



PAHAM 


HMAC 


Type 


A/ame 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_PhysicalDisal)le 


Outs 


[olng ( 


Dperar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Hame 


DesctipSon 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM^TAG_RSP_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Action 

The TPM SHALL set the TCG_PERSISTENT.FLAGS.disable value to TRUE. The TPM while executing 
this corrimand MUST obtain assurance from a physical nnethod that operation of this command is 
authorized. 

The TPM manufacturer MAY implement this command not as a response to a message block but as a 
response to a physical action, for instance, the acceptance of a special bus cycle or setting a pm high. 
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8.14.3 TPM^PhysicalEnable 
Type 

TCG protected capability; there IVIUST be unambiguous evidence of the presence of physical access 
the platform for the TPM to verify. 

Incoming Operands and Sizes 



PARAhA 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






U1NT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_PhysicalEnablel 


Outs 


loing C 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Action 

The TPM SHALL set the TCG„PERSISTENT_FLAGS.disable value to FALSE. 

In order to execute this command, the TPM MUST obtain unambiguous assurance that operation of this 
command is authorized by physical presence at the platfomi. The command MAY be initiated by the 
presentation to a TPM of a message block with the above input parameters, provided that the message 
block occurs while the TPM is presented with unambiguous assurance that operation of this command is 
authorized by physical presence at the platform. 

Unambiguous assurance that operation of this command Is authorized by a physical action at the platform 
MAY be communicated to a TPM using a special bus cycle that is impossible for software to create, or 
asserting a single electrical signal that is impossible for software to create, for example. 
It SHALL be impossible to subvert this command to a TPM by the execution of instructions In a computing 
engine on the platform. 
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8.15 Activating a TPM 
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8.15.1 TPM.PhysicalSetDeactlvated 
Type 

TCG protected capability: there must be some evidence of physical access present for the TPM to verity. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Nanw 


Description 


# 


SZ 


U 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_C0MMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_PhysicalSetDeactivated 


4 


1 






BOOL 


state 


State to wtilch deactivated flag is to be set. 


Outs 


joing ( 


}perar 


ids an 


d Sizes 


PARAhA 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Action 

The TPM while executing this command MUST obtain assurance from a physical method that operation 
of this command Is authorized. 

The TPM SHALL set the TCG_PERSISTENT_FLAGS.deactivated flag to the value in the state 
parameter. 
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8.1 5.2 TPM.SetTempDeactivated 
Type 

TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


S2 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total riumber of Input bytes including paramSize and tag 


3 


4 






TCG^COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_SetTempDeactivated 


Outs 


|oing( 


)perar 


ids an 


d Sizes 


PARAM 




Type 


Name 


Description 


U 


SZ 


# 


SZ 


1 


2 






TGG.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG^RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Action 

Tlie TPM SHALL set the TCG_VOLATILE_FLAGS.deactivated flag to the value TRUE. 
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8.16 TPM_FieldUpgrade 




TCG_RESULT TPM_FieldUpgrade ( 

[in, out] TCG_AUTH* ownerAuth, 

...); 

Type 

TCG protected capability; the TPM Owner must authenticate the command. This is an optional command 
and a TPM is not required to implement this command in any fonn. 

Parameters 



Type 


Name 


Description 


TCG.AUTH 


ownerAuth 


Authentication from TPM owner to execute command 






Remaining parameters are manufacturer specific 



Actions 

The TPM SHALL perform the following when executing the command: 
1 . Validate the TPM Owners authorization to execute the command 

2 Validate that the upgrade information was sent by the TPME. The validation mechanism MUST use a 
strength of function that is at least the same strength of function as a digital signature perfomned 
using a 2048 bit RSA key. 

3. Validate that the upgrade target is the appropriate TPM model and version. 

4. Process the upgrade information and update the protected capabilities 

5 Set the TCG PERSISTENT_DATA.revMajor and TCG_PERSlSTENT_DATA.revMinor to the values 
indicated in the upgrade. The selection of the value is a manufacturer option. The values MUST be 
monotonically increasing. Installing an upgrade with a major and minor revision that is less than 
currently installed in the TPM is a valid operation. 

6. Set the TCG_VOLATILE_FLAGS.deactivated to TRUE. 

Descriptions 

The upgrade mechanisms in the TPM MUST not require the TPM to hold a global secret. The definition of 
global secret is a secret value shared by more than one TPM. 

The TPME is not allowed to pre-store or use unique identifiers in the TPM for the purpose of field 
upgrade. The TPM MUST NOT use the endorsement key for identification or encryption in the "Pgrf a© 
process. The upgrade process MAY use a TPM Identity to deliver upgrade infonnation to specific TPM s. 



Versi n1.1a 1 Setember 2001 



TCG Main Specification 



Page 252 



The upgrade process can only change protected capabilities. 

The upgrade process can only access data in shielded locations where this data is necessary to validate 
the TPM Owner, validate the TPME and nnanlpulate the blob 

The TPM MUST be confomiant to the TCG specification, protection profiles and security targets after the 
upgrade. The upgrade MAY NOT decrease the security values from the original security target. 
The security target used to evaluate this TPM MUST include this command in the TOE. 
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8.17 TPM_SetR direction 




Type 

TCG protected capability; the TPM MAY Implement this command. The user MUST supply authorization 
to use the key pointed to by keyHandle. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total numt)er of input bytes induding paramSize and tag 


3 


4 


Is 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of 
TPM_ORD_SetRedirection 


4 


4 






TCG.KEY^HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can 
implement redirection. 


5 


4 


2s 


4 




C1 


Manufacturer parameter 


6 


4 


3s 


4 


UINT32 


C2 


Manufecturer parameter 


7 


4 






TCG_AUTHHANDLE 


authHandie 


The authorization handle used for keyHandle 
authorization 






2hi 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandie 


9 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


10 


20 






TCG.AUTHDATA 


privAuth 


The authorization digest that authorizes the use of 
keyHandle. HMAC key: key.usageAutt) 


Out£ 


loing ( 


}peran< 


Is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


n 


SZ 




1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP.AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


1S 


4 


TCG.RESULT 


retumCode 


The return code of the operatran. See section 4.3. 






2s 


4 


TCG.COMMAND^CODE 


ordinal 


Command ordinal: TPM^ORD.SetRedirection 
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4 


20 


2 HI 


20 


TCG.NONCE 


nonoeEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20. 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandte 


5 


1 


4 HI 


1 


BOOL 


oontinueAuthSessbn 


Continue use flag, TRUE if handle is still active 


6 


20 






TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuth 



Action 

1 . The TPM SHALL validate the authorization to use the key pointed to by keyHandle. 

2. The TPM SHALL verify that the key pointed to by keyHandle has the redirection flag set to TRUE. If 
FALSE the TPM SHALL return TCG_FAIL. 

3. The TPM SHALL set the key handle redirection parameters according to the values in parameters c1 
and c2. 

4. A key that is tagged as a "redirect" key MUST be a leaf key in the TCG Protected Storage blob 
hierarchy. A key that is tagged as a "redirect" key CAN NEVER be a parent key. 

5. Ouput data that is the result of a cryptographic operation using the private portion of a "redirecf key: 

a. MUST be passed to an alternate output channel 

b. MUST NOT be passed to the normal output channel 

c. MUST NOT be interpreted by the TPM. 

6. The authori2:ation response returns to the caller. 
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8.18 Key and Session Management 
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8.18.1 TPM_Sav KeyContext 




Sireafioft' ott^elkey , OTntext,bJob,the TPMl 

context 



Type 

TCG optional function; TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HhAAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM^TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Ck>mmand ordinal, fixed value of TPM.ORD^aveKeyContext 


4 


4 






TCG^KEY^HANDLE 


keyHandle 


The key whicf) wBI be kept outsKJe tfie TPM 


Outg 


oing( 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG^RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


keyContextSize 


The actual size of the outgoing key context blob. If the 
command fails the value will be 0 


5 


<> 






BYTED 


keyContextBlob 


The l<ey context blob. 



Description 

This command allows saving a loaded key outside the TPM. After creation of the KeyContextBlob, the 
TPM automatically releases the internal memory used by that key. The format of the key context blob is 
specific to a TPM. 

A TCG protected capability belonging to the TPM that created a key context blob MUST be the only entity 
that can interpret the contents of that blob. If a cryptographic technique is used for this purpose the level 
of security provided by that technique SHALL be at least as secure as a 2048 bit RSA algonthnri. Any 
secrets (such as keys) used in such a cryptographic technique MUST be generated using the TPM s 
random number generator. Any symmetric key MUST be used within the power-on session dunng which it 
was created, only. 

A key context blob SHALL enable verification of the integrity of the contents of the btob by a TCG 
protected capability. 

A key context blob SHALL enable verification of the session validity of the contents of the blob by a TCG 
protected capability. The method SHALL ensure that all key context blobs are rendered invalid if power to 
th TPM is interrupted. 
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8.18.2 TPM_L adKeyC nt xt 




TCG optional function; TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG.RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG.COMMAND.CODE 


ordinal 


Command ordinal, fixed value of TPM.ORD.LoadKeyContexl 


4 


4 






UINT32 


keyContextSize 


The size of the following key context blob. 


5 


<> 






BYTED 


keyContextBlob 


The key context blob. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


n 


SZ 




SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






TCG_KEY_HANDLE 


keyHandle 


The handle assigned to the key after It has been 
successfully loaded. 



Description 



This command allows loading a key context blob into the TPM previously retrieved by a 
TPM^SaveKeyContext call. After successful completion the handle returned by this command can be 
used to access the key. 

The contents of a key context blob SHALL be discarded unless the contents have passed an integrity 
test. This test SHALL (statistically) prove that the contents of the blob are the same as when the blob was 
created. 

The contents of a key context blob SHALL be discarded unless the contents have passed a session 
validity test. This test SHALL (statistically) prove that the blob was created by this TPM during this power- 
on session. 
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8.19 Auth rization Context Management 
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8.19.1 TPM_SaveAuthContext 




Type 

TCG optional function; TCG protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Hame 


Desmptbn 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG^RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_SaveAuthContext 


4 


4 






TCG_AUTHHANDLE 


authandle 


Authorization session which will be kept outside the TPM 


Outg 


foing ( 


)perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG^TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


authContextSize 


The actual size of the outgoing authorization context blob. If the 
command fails the value will be 0. 


5 


<> 






BYTEQ 


authContextBiob 


The authorization context blob. 



Description 

This command allows saving a loaded authorization session outside the TPI^. After creation of the 
authContextBiob. the TPM automatically releases the internal memory used by that session. The format 
of the authorization context blob is specific to a TPM. 

A TCG protected capability belonging to the TPM that created an authorization context blob MUST be the 
only entity that can interpret the contents of that blob. If a cryptographic technique is used for this 
purpose, the level of security provided by that technique SHALL be at least as secure as a 2048 bit RSA 
algorithrn. Any secrets (such as keys) used in such a cryptographic technique MUST be generated using 
the TPM's random number generator. Any symmetric key MUST be used within the power-on session 
during which it was created, only. 

An authorization context blob SHALL enable verification of the integrity of the contents of the blob by a 
TCG protected capability. 

An authorization context blob SHALL enable verification of the session validity of the contents of the blob 
by a TCG protected capability. The method SHALL ensure that all authorization context blobs are 
rendered invalid if power to the TPM is interrupted. 



V rsi n1.1a 1 Set mber2001 



TCG Main Specification 



Page 260 



8.19.2 TPM.L adAuthContext 




Type 

TCG optional function; TCG protected capability, 
incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


DBScripiion 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM.TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSIze 


Total number of input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_LoadAuthContexl 


4 


4 






UINT32 


authContextSize 


The size of the following authorization context blob. 


5 


<> 






BYTED 


authContextBlob 


The authorization context btob. 


Outs 


oingC 


>perar 


ids and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCG_TAG 


tag 


TPM_TAG^RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


4 






TCG_KEY_HANDLE 


authHandle 


The handle assigned to the authorization session after it has 
been successfully loaded. 



Description 

This command allows loading an authorization context blob into the TPM previously retrieved by a 
TPM_SaveAuthContext call. After successful completion the handle returned by this command can be 
used to access the authorization session. 

The contents of an authorization context blob SHALL be discarded unless the contents have passed an 
integrity test. This test SHALL (statistically) prove that the contents of the blob are the same as when the 
blob was created. 

The contents of an authorization context blob SHALL be discarded unless the contents have passed a 
session validity test. This test SHALL (statistically) prove that the blob was created by this TPM during 
this power-on session. 
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9.1 Introduction 




All credentials MUST use the TCG_VERSION structure. 



9.2 Endorsement 




The PRIVEK and PUBEK MUST be accessed only by protected capabilities whose definition explicitly 
requires access to those keys. 



The PRIVEK and PUBEK MAY be created by a process other than the use of 
TPM_CreateEndorsementKeyPair. If so, the process MUST result in a TPM and endorsement key whose 
properties are the same as those of a genuine TPM and an endorsement key created by execution of 
TPM_CreateEndorsementKeyPair in that TPM. 

• The process MUST result in the same TPM state as that created by execution of 
TPM_CreateEndorsementKeyPair. 

• The process MUST guarantee correct generation, cryptographic strength, uniqueness, privacy, 
and installation into a genuine TPM, of the endorsement key. 

• The TPME, when creating the Endorsement Certificate, MUST be satisfied that the described 
endorsement key does exist in a genuine TPM and was Installed by a process that met or 
exceeded the assurances provided by a genuine TPM perfonning 
TPM_CreateEndorsementKeyPair. 

• The process MUST be defined In the TOE of the security target in use to evaluate the TPM 
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9.2.1 TPM.CreateEndorsementKeyPair 
Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


{>aramSlze 


Total number of input bytes Including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateEndorsementKeyPair 


4 


20 






TCG.NONCE 


antiReplay 


Arbitrary data 


5 


<> 






TCG_KEY_PARMS 


keylnfb 


lnfbrmatk>n about key to be created, this Includes af) 
algorithm parameters 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


n 


SZ 


# 


SZ 


1 


2 






TCG_TAG 


tag 


TPM.TAG.RSP.COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 


4 


<> 






TCG.PUBKEY 


pubEndorsementKey 


The public endorsement key 


5 


20 






TCG.DIGEST 


checksum 


Hash of pubEndorsementKey and antiReplay 



Description 



Type 


Name 


Description 


TCG STORE AS 
YMKEY 


PRIVEK 


This SHALL be the private key of the endorsement key pair. 


TCG^PUBKEY 


PUBEK 


This SHALL be the public key of the endorsement key pair. 



The PRIVEK SHALL exist only in a TCG-shielded location. 

If the data structure TPM_ENDORSEMENT_GREDENTIAL is stored on a platform after an Owner has 
taken ownership of that platfonm. It SHALL exist only in storage to which access is controlled and is 
available to authorized entities. 

Actions 

The first valid TPM_CreateEndorsementKeyPalr command received by a TPM SHALL 

1. Validate the keylnfo parameters for the key description 

a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For 
interoperability the key length SHOULD be 2048 
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b. If the algorithm type is other than RSA the strength provided by th key MUST be 
comparable to RSA 2048 

c. The other parameters of keylnfo (signatureScheme etc.) are ignored. 

2. Create a key pair called the "endorsement key pair" using a TCG-protected capability. The type and 
size of key are that indicated by keylnfo 

3. Create checksum by perfonning SHA1 on the concatenation of (PUBEK || antiReplay) 

4. Store the PRIVEK. 

5. Export the data structures PUBEK and checksum 

6. Set TCG_PERSISTENT_FLAGS -> CEKPUsed to TRUE 

Subsequent calls to TPM_CreateEndorsementKeyPair SHALL retum code TCG_DISABLED_CMD 
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9.2.2 TPM_R adPubek 
Type 

TCG protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of Input bytes including paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadPubek 


4 


20 






TCG.NONCE 


antiReplay 


Arbitrary data 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP.COMMAND 


2 


4 






UINT32 


paranfiSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG_RESULT 


retumCode 


The return code of the operation. See sectun 4.3. 


4 


<> 






TCG.PUBKEY 


pubEndorsementKey 


The public endorsement key 


5 


20 






TCG_D1GEST 


checksum 


Hash of pubEndorsementKey and antiReplay 



Description 

This command returns the PUBEK. 
Actions 

The TPM_ReadPubelc command SHALL 

1 . If TCG_PERSISTENT_FLAGS -> readPubek is FALSE return TCG_DISABLED_CI\/ID. 

2. If no EK is present the TPM I^UST return TCG_NO_ENDORSEIV!ENT 

3. Create checlcsum by performing SHA1 on the concatenation of (PUBEK || antiReplay). 

4. Export the PUBEK and checksum. 
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9.2.3 TPM DisablePubekRead 




Type 

TCG protected capability; tlie user must present authorization from the TPM Owner. 
Incoining Operands and Sizes 



PARAM 


HMAC 


Type 




Name 


Description 


# 


SZ 


# 


SZ 






1 


2 






TCG.TAG 


tag 


TPM_TAG_RQU^AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSize and tag 


3 


4 


Is 


4 


TCG.COMMAND_CODE 


ordinal 


Command ordinal: TPM.ORD.DisablePubekRead 


4 


4 






TCG.AUTHHANDI^ 


authHandle 


The authorization handle used for owner authorization. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce prevtously generated by TPM to cover 
inputs 


5 


20 


3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


7 


20 






TCGJ^UTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UJNT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


Is 


4 


TCG_RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG.COMMAND.CODE 


ordinal 


Conmiand ordinal: TPM.ORD_DtsablePubekRead 


4 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system assodated with authHandle 


5 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TCG_AUTHDATA 


resAuth 


The authorization digest for the retumed parameters. 
HMAC key: ownerAuth. 



Actions 

This capability sets the TCG^PERSISTENTFLAGS -> readPubek flag to FALSE. 
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9.2.4 TPM^OwnerReadPubek 
Type 

TCG protected capability: caller must supply authorization from the TPM Owner 



Incoming Operands and Sizes 



PARAM 


Hmc 


Type 


Name 


Description 


U 


SZ 


# I SZ 


1 


2 






TCG^TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of Input bytes Including paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM.ORD_OwnerReadPubek 


4 


4 






TCG.AUTHHANDLE 


authhtandle 


The authorization handle used for owner authorization. 






2 HI 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


5 


20 


3 HI 


20 


TCG^NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


7 


20 






TCG.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outs 


oing ( 


Dperanc 


Is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG_COMMAND^CODE 


ordinal 


Command ordinal: TPM.ORD.OwnerReadPubek 


4 


<> 


3s 


<> 


TCG_PUBKEY 


pubEndorsementKey 


The public endorsement key 


5 


20 


2 HI 


20 


TCG_NONCE 


nonoeEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag. TRUE if handle is stUI active 


7 


20 






TCG_AUTHDATA 


resAuth 


The authorization digest for the relumed parameters. 
HMAC key: ownerAuth. 



Description 

This command returns the PUBEK. 
Actions 

The TPM_ReadPubek command SHALL 

1 . Validate the TPM Owner authorization to execute this command 

2. Export the PUBEK 
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9.3 Generating a Trusted Platf rm Module Identity 



^^^^^^^ ^ ^ 




ifSSSiililSIIS 



^^^^ 



|ir — 
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Obtaining a TPM identity 

make^TPM ideiitity(P_CAjdeiitlty, 













f 





























id-label, identity.authorisatioii, alg_ld, alg^aram) 
identity binding 

collate Jdentity__request(, . . .) 

E(P_CAJdeiitIty. session-key^l) 
E(session_key_l, TPM-ldentlty-key, 
id-label, aig>id, alg-param, identity^blnding, 
endoriement-cred, platform-cred, 
conformance-crcd) 



contact jrivacy_CA 

activate_TPM Jdentity ( 
E(endorscment_key,digestad-key), sesslon_key.2)) 

scssion_key_2 

recover_TPM_identity(session_key_2, 
E(session.key_2, TPM Jdentity_credentials)) 

^ TPMJdcntity^credentials 

Owner 
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9.3.1 TPM.Makeldentity 
Type 

TCG protected capability; user must provide authorizations from the TPM Owner and the 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes ind. paramSize and tag 


3 


4 


Is 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_Makeldentity. 


4 


20 




20 


TCG.ENCAUTH 


idenntyAutn 


cn/oruntoH i leanA aiithoriTation data for the new identity 


5 


20 


3s 


20 




lahplPrivCADIaest 


Tiie digest of the identity label and privacy CA chosen 
for the new TPM identity. (See 10.4.6 for details) 


6 


<> 


4s 


<> 


TCG_KcY 


tH l^ouPa ra mQ 
lUixtsyr alallia 


Stnjcture containing all parameters of new identity Itey. 
pubKey.keyLength & idKeyParams.encData are both 0 


f 


A 
H 






TCG.AUTHHANDLE 


srkAuthHandle 


The authorization handle used for SRK authorization. 






2 HI 


20 


TCG_NONCE 


srkLastNonceEven 


Even nonce previously generated by TPM 


8 


20 


3 HI 


20 


TCG_NONCE 


srknonceOdd 


Nonce generated by system associated with 
srkAuthHandle 


9 


1 


4 HI 


1 


BOOL 


continueSrkSession 


Ignored 


10 


20 






TCGJVUTHDATA 


srkAuth 


The authorization digest for the inputs and the SRK. 
HMAC key: srk.usageAuth, 


11 


4 






TCG_AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 
Session type MUST be OSAP. 






2h2 


20 


TCG.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 

inputs 


12 


20 


3h2 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


13 


1 


4h2 


1 


BOOL 


continueAuthSession 


Ignored 


14 


20 




20 


TCGJKUTHDATA 


ownerAuth 


The authorization digest for Inputs and owner. HMAC 
key: ownerAuth. 


Outj 


going 


Dperan 


ds and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG.COMMAND.CODE 


ordinal 


Command ordlnal.TPM_ORD_Makeldentity. 


4 


<> 


3s 


<> 


TC6.KEY 


idKey 


The newly created identity key 
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5 


4 


4s 


4 


U1NT3Z 


lueniiiy Diiiu ing o iz.e 


The used size of the outout area for IdentityBinding 


6 


<> 


5s 


<> 


BYTEU 


identityBinding 


Signature of TCG.IDENTrTY^CONTENTS using 
idKey.private. 


7 


20 


2H2 


20 


TCG.NONCE 


srl^NonceEven 


Even nonce newly generated by TPM. 






3h2 


20 


TCG_NONCE 


srtcnonceOdd 


Nonce generated by system associated with 
srkAuthHandle 


8 


1 


4h2 


1 


BOOL 


continueSrkSession 


Fixed value FALSE 


9 


20 






TCGJ^UTHDATA 


srkAuth 


The authorization digest used for the outputs and srkAuth 
session. HMAC key: srk.usageAuth. 


10 


20 


2 HI 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with authHandie 


11 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Fixed value FALSE 


12 


20 




20 


TCG.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Description 

The command TPM_Makeldentity is used to generate an identity in a TPM and to request attestation to 
that identity. 

The public key of the new TPM identity SHALL be identityPubKey. The private key of the new TPM 
identity SHALL be tpm_signature_key. 

This command requires XOR encryption of the authorization to use the new identity. To create an XOR 
string, the caller takes the OSAP session shared secret, concatenates it with authLastNonceEven. and 
then hashes the result. This hash encrypts the authorization value and produces identityAuth. 



Properties of the new identity 



Type 


Name 


Description 


TCG^PUBKEY 


identityPubKey 


This SHALL be the public key of a previously unused 
asymmetric key pair. 


TCG STORE ASY 
MKEY 


tpm signature_key 


This SHALL be the private key that forms a pair with 
IdentityPubKey and SHALL be extant only in a TCG- 
shielded location. 



This capability also generates a TCG_KEY containing the tpm_signature_key. 

If IdentityPubKey is stored on a platform after an Owner has taken ownership of that platform, it SHALL 
exist only in storage to which access is controlled and is available to authorized entities. 

Actions 

A Trusted Platform Module that receives a valid TPM.Makeldentity command SHALL do the following: 
1 . Validate the idKeyParams parameters for the key description 

a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For 
interoperability the key length SHOULD be 2048 

b. If the algorithm type is other than RSA the strength provided by the key MUST be 
comparable to RSA 2048 
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c If the TPM is not designed to create a key of the requested type, return the enror code 
TCG_BAD_KEY_PROPERTY 

2. Use authHandle to verify that the Owner authorized all TPM^Makeldentity input parameters. 

3. Use srkAuthHandle to verify that the SRK owner authorized all TPM^Makeldentity input parameters. 

4. Verify that idKeyParams -> keyUsage is TPM^KEYJDENTITY. If it is not. return 
TCGJNVALID^KEYUSAGE 

5. Verify that IdKeyParams -> keyFlags -> migratable is FALSE. If it is not, retum 
TCGJNVALID^KEYUSAGE 

6 Obtain the identity authorization to be associated with the new TPM identity, by ^lecrypting the field 
IdentityAuth. The establishment of the TPM^OSAP session MUST use the authenticaton of the TPM 
Owner. 

7. Set continueAuthSession to FALSE. 

8. Create an asymmetric key pair (identltyPubKey and tpm_slgnature.key) using a TCG-protected 
capability, in accordance with the algorithm specified in idKeyParams 

9. Create TCG_KEY structure idKey using idKeyParams as the default values for the structure. 

10. Ensure that the authorization infonmation in IdentityAuth is properly stored in the idKey as usageAuth. 

11. Attach identltyPubKey and tpm_signature_key to idKey 

12. Set idKey -> migrationAuth to TTCG_PERSISTANT.DATA -> tpmProof 

13. Ensure that all TCG_PAYLOAD_TYPE structures Identity this key as TCG_PT_ASYM 

14. Encrypt the private portion of idKey using the SRK as the parent key 

15. Create a TCGJDENTITY^CONTENTS structure named idContents using labelPrivCADigest and the 
infonmation from idKey 

16. Sign idContents using tpm.signature^ey and TCG_SS_RSASSAPKCS1v15_SHA1. Store the result 
in IdentityBlnding. 
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9.3.2 TSS^CollateldentityRequest 




Type 

TSS capability and MAY be TPM capability. 



Type 


Name 


Description 


TCGJDENTITY_PROOF 


proof 


This SHALL be tine structure specified in 
4.30.3 


TCG_KEY_PARMS 


SymAlgorithm 


This SHALL specify the type of symmetric 
encryption algorithm to be used for a 
session key. and the scheme it will use to 
perform encryptions. 


TCG_PUBKEY 


CaPubKey 


This SHALL be public key of the CA which 
will provide the credential for the Identity 


UINT32* 


ReqSize 


This SHALL be the size of the identityReq 
field 


TCGJDENTITY_REQ* 


IdentityRequest 


This SHALL be the data structure defined in 
this section. 



Description 

The command TSS_CollateldentityRequest assembles all data necessary to request attestation of a 
Trusted Platfonn Module identity. 

The structure "proof (of type TPMJDENTITY.PROOF) contains fields that a privacy-CA requires in order 
to decide whether to attest to the TPM identity described by "proof. 

A Trusted Platform Subsystem that receives a valid TSS.CollateldentityRequest command SHALL export 
the data stmcture "TCG_IDENTITY_REQ.' 

The TSS in executing this function perfonns two encryptions. The first is to symnietrirally encry^^ 
information and the sicond is to encrypt the symmetric encryption key v«th an ^s/^T'f^'f^.f^"*^^^^^^ 
symmetric key is a random nonce and the asymmetric key is the public key of the CA that will provide the 
identity credential. 
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For reasons of interoperability, CaPubKey SHOULD indicate TCG^ALG.RSA (RSA) with a key length of 

2048 bits. SymAlgorithm SHOULD be TCG_ALG_3DES (3DES in CBC mode). 

The use of TCG.ALG.AES (AES In CBC mode) as the symmetric algorithm Is encouraged. 

Actions 

The command SHALL perfomn the following actions: 

1 Validate that the TSS can support the symmetric algorithm and the asymmetric algorithm necessary 
to perform the encryptions. If the TSS does not support these algorithms it MUST retum 
TCG_BAD„KEY_PROPERTY 

2. Initialize the identltyRequest area to be the TC6_IDENTITY_REQ stmcture. 

3. Create a session key In accordance with the algorithm in SymAlgorithm, by calling TSS.GetRandom. 

4. Create an IV in accordance with the algorithm In SymAlgorithm, by calling TSS^GetRandom. 

5. Encrypt the TCGJDENTITY.PROOF structure using the session key created in step 3, the IV 
created in step 4. and the symmetric algorithm specified by SymAlgorithm. 

6. Place the encrypted TCGJDENTITY_PROOF blob into the TCGJDENTITY.REQ.symBlob field. 

7. Create a TCG_SYMMETRIC_KEY structure using the session key created in step 3. 

8. Encrypt the TCG_SYMMETRIC_KEY structure created in step 7 using the algorithm specified in the 
key caPubKey. 

9. Place the encrypted TCG^SYMMETRIC.KEY blob into the TCGJDENTITY_REQ.asymBlob field. 

10. Create TCGJDENTITY_REQ.SymAlgorithm using SymAlgorithm and inserting the IV created in step 
4 into the previously empty "parms" field. 

1 1 . Create TCG JDENTITY_REQ.AsymAlgorithm from CaPubKey. 

12. Retum the TCG JDENTITY^REQ structure. 
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9.3.3 Contacting a Privacy CA 
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9.3.4 TPM^Actlvateldentity 




Type 



TCG protected capability; user must provide authorization from the TPM Owner to execute command. 



PARAM 


HM/C 


Type 


Name 


Description 


# 


S2 


# 


sz 


1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of input bytes ind. paramSize and tag 


3 


4 


1s 


4 


TCG_COMMAND_CODE 


ordinal 


Command ordinal: TPM„ORD_Activateldentity. 


4 


4 






TCG.KEY.HANDLE 


idKey 


Identity key to be activated 


5 


4 


2s 


4 


UINT32 


blobSize 


Size of encrypted blob from CA 


6 


<> 


3s 


<> 


BYTE[] 


blob 


The encrypted ASYM^CA^CONTENTS structure 


7 


4 






TCG_AUTHHANDLE 


IdKeyAuthHandle 


The authorization handle used for ID key authorization. 






2 HI 


20 


TCG.NONCE 


idKeyLastNonceEven 


Even nonce previously generated by TPM 


8 


20 


3 HI 


20 


TCG.NONCE 


idKeynonceOdd 


Nonce generated by system associated with 
IdKeyAuthHandle 


9 




4 HI 


1 


BOOL 


continueldKeySession 


Continue usage flag for idKeyAuthHandle. 


10 


20 






TCG_AUTHDATA 


idKeyAuth 


The authorization digest for the inputs and ID key. 
HMAC key: WKey.usageAuth. 


11 


4 






TCG_AUTHHANDLE 


authHandle 








2h2 


20 


TCG.NONCE 


authlastNonceEven 


Even nonce previously generated by TPM to cover 
Inputs 


12 


20 


3h2 


20 


TCG.NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


13 


7 


4h2 


1 


BOOL 


continueAuthSessbn 


The continue use flag for the authorization handle 


14 


20 




20 


TCG.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner. HMAC 
key: ownerAuth. 



Outgoing Operands and Sizes 



PARAM 



I HMAC I Type 



Name 



Description 
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# 


SZ 




SZ 








1 


2 






TCG_TAG 


tag 




0 

c 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and 
tag 


3 


4 


1s 


4 


TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCG.COMMAND.CODc 


ordinal 


fVtmmanH nrdinal'TPM ORD Ac^atfildentitV 
\/UllllllonU UIUIIIOI. 1 r IVI^Wixfc/ _f^l#Mwqtpmgnu*j. 


4 


<> 


3s 


<> 


TCG_5YMMcT RIL_Kfc Y 


symni6iiici\ey 


Tha rifiRn/ntari svmmetric kev 


5 


20 


2hi 


20 


TCG.NONCE 


IdKeyNonceEven 


CVoil nonCc IlcWiy ycllciaieu uy i nvi, 






3 HI 


20 


TCG.NONCE 


idKeynonceOdd 


idKeyAuthHandle 


Q 




4 HI 




BOOL 


continueldKeySession 


Continue use flag» TRUE if handle is still active 


7 


20 






TCG.AUTHDATA 


idKeyAuth 


The authorization digest used for the returned 
parameters and IdKeyAuth session. HMAC key: 
IdKey.usageAuth. 


8 


20 


2h2 


20 


TCG.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3h2 


20 


TCG_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


f 


4h2 




BOOL 


continueAuthSession 


Continue use flag. TRUE if handle is still active 


10 


20 




20 


TCG_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Description 

The command TPM.Actlvateldentity activates a TPM identity created using the command 
TPM_Makeldentlty. 

The command assumes the availability of the private key associated with the identity. The command will 
verify the association between the keys during the process. 

The command will decrypt the TCG_ASYM_CA_CONTENTS structure, extract the session key and verify 
the connection between the public and private keys. 

Actions 

A Trusted Platfonn Module that receives a valid TPM_Activate Identity command SHALL do the following: 

1. Using the authHandle field, validate the owner's authorization to execute the command and all of the 
Incoming parameters. 

2. Using the idKeyAuthHandle. validate the authorization to execute command and all of the incoming 
parameters 

3. Decrypt blob using PRIVEK as the decryption key. The resulting decrypted area MUST be a 
TCG_ASYM_CA_CONTENTS structure. 

4 Compute a digest of the public key in the idKey. Compare the computed digest to the value in the 
decrypted TCG_ASYM_CA_CONTENTS stmcture. Return with the en^or code 
TCG_BAD_PARAMETER on a mismatch. 

5. Validate that the idKey is the public key of a valid TPM identity by checking that IdKey -> keyUsage is 
TPM_KEY_IDENTITY 

6. Return the session key from the TCG_ASYM_CA_CONTENTS structure. 
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9.3.5 TSS^Rec verTPMIdentlty 




The command TSS_Recoverldentity obtains a plaintext copy of the TPMJDENTITY.CREDENTIAL 
created by a Privacy CA. 



If the data structure TPMJDENTITY_CREDENTIAL is stored on a platfomri after an Owner has taken 
ownership of that platfonm. it SHALL exist only in storage to which access Is controlled and is only 
available to authorized entities. 



Suggested Parameters 



Type 


Name 


Description 


TCG_SYMMETRIC_KEY 


SessionKey 


This SHALL be the symmetric key decrypted by the 
TPM_Activateldentity 


UINT32 


symAttSize 


This SHALL be the size of the symAtt parameter 


TCG SYM CA ATTESTA 
TION* 


symAtt 


This SHALL be the TCG_SYM_CA_ATTESTATION 
structure 


UINT32* 


CredentialSize 


This SHALL be the size of the credential 


BYTE* 


Credential 


This SHALL be the decrypted 
TCGJDENTITY^CREDENTIAL 



Actions 

A Tmsted Platform Subsystem that receives a valid TSS_Recoverldentity command SHALL do the 
following: 

1. Using the session key and the symmetric algorithm indicated by algorithm and the algorithm 
parameters, decrypt credential parameter inside TCG_SYM_CA_ATTESTATION to recover the 
TPMJDENTITY_CREDENTIAL. 

2. The TSS SHOULD verify the self-consistency of TPMJDENTITY_CREDENTIAL and abandon this 
TSS_Recoverldentity process if there Is an inconsistency. The process of verifying certificates is 
outside the scope of this specification. 

3. Export TPMJDENTITY_CREDENTIAL. 
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9.4 Instantiation of Data Wh n Contacting a Privacy CA 




9.4.1 From Owner to Privacy CA 

The protocol from the Owner to the Privacy CA SHALL consist of the following IdentityRequest message: 

TCGIdentityReq : := SEQUENCE { 

Version, 



version 
asyitiAlg 
symAlg 



TCGAlgorithmParms, 
TCGAlgor ithmParms , 
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asymBlob EncTCGSymmetricKey, 

symBlob EncTCGIdentityProof 

} 

Version : := INTEGER , . . * 

— the version number, for compatibility with future revisions of 
~ this specification. It shall be 0 for this version of the 

— specification. 

TCGAlgorithmParms SEQUENCE { 

algid Algorithmldentifier, 
parms OCTET STRING 

— the parameters for the algorithm specified in algid 

} 

EncTCGSymmetricKey ::= BIT STRING 

~ the ciphertext resulting from the encryption (under the public 
~ identity key of the Privacy CA) of the following DER-encoded data 

— structure. 

TCGSymmetricKey : := SEQUENCE { 

algid Algorithmldentif ier, 

encScheme OCTET STRING, ~ TCG_ENCRYPTION_SCHEME 

^Q^ta BIT STRING — randomly-generated session key 

} 

EncTCGIdentityProof : := BIT STRING 

— the ciphertext resulting from the encryption (under the session 

— key in TCGSymmetricKey above) of the following DER-encoded data 

— structure: 

TCGIdentityProof SEQUENCE { 

TCGVersion TCGSpecVersion, ^^major . minor 

tpmldKey SubjectPublicKeylnf o, ~ new public key 

tpmldLabel OCTET STRING, — identity label 

identityBinding BIT STRING, — (see below) 

endorsementCred Certificate, ~ X.509v3 PK cert 

platformCred Certificate, ~ X.509 attr. cert 

conformanceCred Certificate — X.509 attr. cert 

} 

— SubjectPublicKeylnfo 

~ (a SEQUENCE of an Algori thmXdentif ier and a BIT STRING) is 

— specified in X.509. The BIT STRING contains the subject's public 

— key (for example, if the algorithm specified is rsaEncryption, the 
~ BIT STRING contains the BER encoding of a value of PKCS #1 type 

~ ^^RSAPublicKey") . 

— identityBinding . ^ i 

— is the signature value (using the newly generated TPM private key 

— that corresponds to the public key in tpmldKey) over the data 

~ specified in Section 4.30.1 TCG_,IDENTITY_CONTENTS . How that data ~ is 
formatted or delimited is beyond the scope of the protocol 

— specified here; however, the formatting chosen must be known to 

— both the TPM and the Privacy CA. 
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9.4.2 Fr m Privacy CA to Own r 

The protocol from the Privacy CA to the Owner consists of the PCAResponse message: 

PCAResponse : : = SEQUENCE { 

version Version, 
symitiAlg Algorithmldentif ier , 

encTCGAsymCaContents EncTCGAsymCaContents, 
TCGSymCaAttestation TCGSymCaAttestation 

} 

EncTCGAsymCaContents ::= BIT STRING 

~ the ciphertext resulting from the encryption (under the PUBEK of 
the TPM) of the following DER-encoded data structure: 

TCGAsymCaContents : := SEQUENCE { 

idDigest BIT STRING, — hash of tpmldKey 

sessionKey BIT STRING 

} 

NOTE: the validity of the entire protocol for obtaining a TPM 

~ identity depends critically upon the assumption that a genuine 
TPM will only ever decrypt data using its PRIVEK as part of the 

— TPM ActivateldentityO call. An Owner will never be able to ask a 

— TPM^for the decryption of arbitrary data that has been encrypted 
with its PUBEK. Furthermore, the difficulty of successfully 

— - impersonating a TPM is ultimately bound to the computational 
~ complexity of finding a collision for idDigest. It is therefore 
~ STRONGLY RECOMMENDED that the digest be computed using the full 
~ output of a cryptographic hash algorithm of sufficient strength 
~ (e.g., the full 160 bits of SHA-1) . 

TCGSymCaAttestation : := SEQUENCE { 

algorithm TCGAlgorithmParras, 
encCredential BIT STRING 

the ciphertext resulting from the encryption (under the 

— symmetric session key in TCGAsymCaContents above) of the 

— tpmldentityCredential (which is itself DER-encoded as an 

— X.509 PK Certificate). 

) 
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9.5 Instantiation of Credentials as Certificates 




Certificate syntax 

TCG certificate syntax conforms with the definitions for public-key certificates and attribute certificates in 
X.509. The following TCG certificate types are public-key certificates: 

• TPM endorsement certificate 

• TPM identity certificate 

The following TCG certificate types are attribute certificates: 

• Platform endorsement certificate 

• Platform conformance certificate 

• Validation data certificate 

The fomi of the following certificates is out of scope for this version of the TPM specification: 

• TPM endorsement entity certificate 

• TCG component endorsement entity certificate 

• Platfonm endorsement entity certificate 

• Platform conformance certificate 

The serial number used by the following certificates is not unique for each platform. It is anticipated that 
the serial number would remain the same on multiple platfbmis. 

For instance all platfomis of the same model and version would have the same serial number in their 
StfSSTeS^^^^^^^ For these same platfomis. the platfomi confomiance f ^ific^^^^^^^^ 

SrSh^sS^^^^ number but that number would be different than the endorsement certificate serial 
number. 
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9.5.1 Instantiation f TPM_ENDORSEMENT_CREDENTIALs 




If the data structure <endorsement_certificate> is stored on a platform after an Owner has taken 
ownership of that platform, it SHALL exist only in storage to which access is controlled and is available to 
authorized entities. 
Oven^iew 

The TPM endorsement certificate represents an assertion by the TPM endorsement entity that the 
referenced TPM conforms with the TCG TPM specification. 

Profile 

Notes: 

• Some fields are assigned a value even though the certificate user performs no action based on 
that value. In such cases, the intention is to inhibit non-TCG implementations from making 
inappropriate use of the certificate. 

. It is intended that the lifetime of a TPM will be shorter than the crypto-period of the TPM 
endorsement public and private keys. Therefore, keys are not "rolled-over^. 

• The trustworthiness of the architecture is vulnerable to the compromise of a single TPM 
endorsement private key. However, the architecture does not include a revocation mechanism. 
Nevertheless, certain forms of revocation scheme can be retrofitted, should it become necessary 
at some time in the future. 

In the case of the TPM endorsement certificate, the issuer is the TPM endorsement entity and the user is 

a Privacy CA. 



Field 



Version 
Serial number 

Signature 



Issuer 



issuer action 



Assign value 2 (v3). 

Assign a value unique amongst all 
certificates issued by "issuer". 

Assign the algorithm Identifier sha- 
1 With RSAEncryption 
(1:2:840:113549:1:1:5). 



The distinguished name of the 
TPM endorsement entity. That is 
the entity that asserts that the 
subject TPM confonms with the 
TCG specification. (Note: this may 
be the TPM manufacturer or a 
conformance test laboratory.) 



User action 



Check value = 2. else reject. 

Use in validating the platform endorsement 
and conformance certificates. 

Check the algorithm identifier = 
1:2:840:113549:1:1:5, else reject. Validate 
the signature on the certificate using the 
public key of the TPME (which shall be a 
2048-bit RSA key), obtained by an out-of- 
band means and referenced by "issuer^ and 
"authority key Identifier". 

Check that the name is the name of one of 
the acceptable TPM endorsement entities, 
use in validating the platform endorsement 
and conformance certificates. 
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Validity 



Subject 



Subject public 
key info 



Issuer unique 
identifier 

Subject unique 
identifier 

Extensions 

Authority key 
identifier 



Subject key 
identifier 

Key usage 



Extended key 
usage 

Private key 
usage period 

Certificate 
policies 



Policy mappings 
Subject 

alternative name 



Issuer altemative 
name 



Assign notBefore to the current 
time and notAfter to a later time 
(maybe the latest time permitted by 
the encoding scheme). 

Assign the value NULL 

Assign algorithm identifier RSAES- 
OAEP (1 :2:840:1 13549:1 :1 :7). 
Include a 2048-bit RSA public key 
for key enciphemient with OAEP 
formatting. (Note: this is the TPM 
public endorsement key.) 

Omit. 
Omit. 



Assign "critical" the value FALSE. 
Assign the value of "subject key 
Identifier" from the manufacturer's 
certificate, if available, else omit. 

Omit. 

May be omitted. If included, then 
the key encipherment bit shall be 
set TRUE. 

Omit. 



Omit. 

Assign "critical" the value TRUE. 
Assign policyldentifier at least one 
object identifier. Assign the cPSuri 
policy qualifier the value of an 
HTTP URL at which a plain 
language version of the TPM 
endorsement entity's certificate 
policy may be obtained. Assign 
the explicit text userNotice policy 
qualifier the value "TCG Tmsted 
Platfonm Module Endorsement". 

Omit. 

Assign "critical" the value FALSE. 
Include the TPM identity, using the 
directory name-form with RDNs for 
the TPM manufacturer, model and 
version numbers. 

Omit. 



Check that the current time is later than the 
notBefore time, else reject. 



No action. 

Use the public key in the TPM identity 
protocol. 



No action. 



No action. 



Use to locate the certificate that contains a 
public key of the manufacturer with which the 
signature on this certificate can be verified. 

No action. 

If present, then check that the key 
encipherment bit is TRUE, else reject. 

If present and marked critical, then reject. 

If present, then check that the current time is 
later than the notBefore time. 

Check that at least one acceptable 
policyldentifier value is present. Transfer the 
acceptable policylnfonmatlon value to the 
TPM identity certificate "certificate policies' 
extension. 



No action. 

Check that the TPM manufacturer, model 
and version numbers are acceptable. 
Transfer to the TPM identify certificate 
"subject altemative name" extension value 
for the TPM. 

No action. 
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Subject directory 
attributes 



Basic constraints 

Name constraints 

Policy constraints 

Inhibit any policy 

CRL distribution 
points 



Include a "subject directory 
attributes" extension. Assign 
"critical" the value FALSE. Include 
the multi-valued attribute 
"supported algorithms" (see 
X.509). Include object identifiers 
for the following algorithms: 
RSAES-OAEP, SHA-1 
(1.3.14.3.2.26) and TPM identity 
protocol. 

Include the "TCG Specification 
Version** attribute, with field values 
correctly reflecting the highest 
version of the TCG specification 
with which the TPM 
implementation conforms. 

Optionally, include the ''security 
qualities" attribute with a text string 
reflecting the security qualities of 
the TPM. (Note: this is the TPM 
distributed validation.) 

Assign "critical" the value TRUE. 
Assign "CA" the value FALSE 

Omit. 

Omit. 

Omit. 

Omit. 



Adapt the TPM identity protocol to use only 
algorithms supported by the TPM. 



Check that the TCG specification version is 
acceptable, else reject. 



Optionally (and if present), check whether 
the TPM implementation has acceptable 
security qualities. Transfer to the TPM 
identity certificate "subject directory 
attributes" extension. 

No action. 

No action. 
No action. 
No action. 

If present and mariced critical, then reject. 
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9.5.2 Instantiation of PLATFORM_CREDENTIAL 




If the data structure <Dlatform certificate is stored on a platform atter an Owner has taken ownership of 
K pfal^rS it^S^Lf ^^oSy In storage to which access is controlled and is available to authorized 
entities. 
Overview 

The Platfonn Endorsement Certificate represents an assertion by the platfornn endoreement entity that the 
Serence7;.la^^ incorporates a TPM and an RTM in a manner that confonns with the TCG 
specification. 
Profile 

Note- some fields are assigned a value even though the certificate user performs no action with that 
valIie. rsurisSt^e intention is to inhibit non-TCG implementations from malcing inappropnate use 
of the certificate. 

In the case of the Platform endorsement certificate, the issuer is the platform manufacturer and the user 

is a Privacy CA. ^ 



Field 



Issuer action 



User action 



Version 
Holder 



Issuer 



Signature 



Assign value 1 (v2). 

BaseCertificateiD referencing the 
corresponding TPM endorsement 
certificate. (Note: this is the TPM 
credential reference.) 

The distinguished name of the 
platform endorsement entity. That is 
the entity that asserts that the subject 
platfonm incorporates a TPM and 
RTM in a manner that conforms with 
the TCG specification. (Note: this 
may be the platform manufacturer or 
a confonmance test laljoratory.) 

Assign algorithm identifier sha- 

IWithRSAEncryption 

(1:2:840:113549:1:1:5). 



Serial number 



attrCertValidity 
Period 



Assign a value unique per instance of 
a TBB amongst all certificates issued 
by "issuer" 

Assign notBefore to the current time 
and notAfler to a later time (maybe 



Check value = 1 , else reject. 

Check that the certificate ID con-ectly 
references the TPM endorsement certificate 
used to validate the TPM identity request 
message, else reject. 

Check that the name is the name of one of 
the acceptable platform endorsement 
entities. 



Check algorithm identifier = 
1:2:840:113549:1:1:5. else reject. Validate 
the signature on the certificate using the 
public key of the Platform Endorsement 
Entity (which should be a 2048-bit RSA key), 
obtained by an out-of-band means and 
referenced by "issuer' and "authority key 
identifier" 

No action. 



Check that the current time is later than the 
notBefore time, else reject. 
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Attributes 



Issuer unique 
identifier 

Extensions 

Certificate 



the latest time permitted by the 
encoding scheme). 

A "supported algorithms" attribute 
(see X.509) indicating the 
cryptographic algorithms supported by 
the platform. 

Include the TCG Specification 
Version" attribute, with field values 
correctly reflecting the highest version 
of the TCG specification with which 
the platform implementation 
conforms. 

If the TPM has been successfully 
evaluated against a Common Criteria 
protection profile, then include the 
TPM protection profile identifier 
attribute. 

If the TPM has been successfully 
evaluated against a Common Criteria 
security target, then include the TPM 
security target identifier attribute. 

If the RTM and the means by which 
the TPM and RTM have been 
incorporated into the platform have 
been successfully evaluated against a 
Common Criteria protection profile, 
then include the "foundation 
protection profile" identifier attribute. 

If the RTM and the means by which 
the TPM and RTM have been 
incorporated into the platform have 
been successfully evaluated against a 
Common Criteria security target, then 
include the "foundation security 
target" identifier attribute. 

If there is, or will be. a Platform 
Conformance Certificate, then a 
ConformanceCertificateLocatlon 
attribute should be included to 
indicate how. and from where, it can 
be retrieved. 

Optionally, include the "security 
qualities" attribute with a text string 
reflecting the security qualities of the 
platform. (Note: this is the platform 
distributed validation.) 

Omit. 



Assign "critical" the value TRUE 



Transfer the object identifiers for any 
acceptable algorithrns to the TPM identity 
certificate "subject directory attributes" 
extension. 

Check that the TCG specification version Is 
acceptable, else reject. 



Optionally, check whether the identifier is 
acceptable. Transfer the protection profile 
identifier to the TPM identity certificate. 



Optionally, check whether the identifier is 
acceptable. Transfer the security target 
identifier to the TPM identity certificate. 

Optionally, check whether the identifier is 
acceptable. Transfer the protection profile 
Identifier to the TPM identity certificate 
"subject directory attributes" extension. 



Optionally, check whether the identifier is 
acceptable. Transfer the security target 
Identifier to the TPM identity certificate 
"subject directory attributes" extension. 



Use the information to locate and retrieve the 
corresponding Platform Conformance 
Certificate. 



Optionally (and if present), check whether 
the platform implementation has acceptable 
security qualities. Transfer to the TPM 
identity certificate "subject directory 
attributes" extension. 

No action. 



Check that at least one acceptable 
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policies 



Subject 

alternative 

name 



Authority 
identifier 



key 



SOA Identifier 

Authority 
Attribute 
Identifier 

Role 

Specification 

Certificate 

Identifier 

Basic Attribute 
Constraints 

Delegated 

Name 

Constraints 

Time 

Specification 

Acceptable 

Certificate 

Policies 



Attribute 


Omit. 


Descriptor 




User Notice 


Omit. 


No Rev 


Omit. 


Available 




Acceptable 


Omit. 


Privilege 




Policies 





Assign policyldentifier at least one 
object identifier. Assign the cPSuri 
policy qualifier the value of an HTTP 
URL at which a plain language 
version of the platform manufacturer's 
certificate policy may be obtained. 
Assign the explicit text userNotice 
policy qualifier the value "TCG 
Trusted Platfonm Endorsement". 

Assign "criticar the value FALSE. 
Include the platform name, uniquely 
identifying the type of the platform 
with RDNs for the manufacturer, 
model and version numbers. 

Assign "critical" the value FALSE. 
Assign the value of "subject key 
identifier" from the platform 
endorsement entity certificate, if 
available, else omit. 

Omit. 

Omit. 



Omit. 



Assign 
Assign 

Omit. 



Omit. 



"critical" the value TRUE 
"authority- the value FALSE. 



policyldentifier value is present. Transfer the 
policylnfomnation value to the TPM identity 
certificate "certificate policies" extension. 



Assign "critical" the value TRUE 
Assign one or more of the values of 
policyldentifier from the certificate 
policies extension of the TPM 
endorsement certificate. 



Check that the manufacturer, model and 
version numbers are acceptable. Transfer to 
the TPM identity certificate "subject 
alternative name" extension. 

The certificate user may use this value to 
locate the certificate that contains a public 
key of the platform endorsement entity with 
which the signature on this certificate can be 
verified. 

No action. 

No action. 



No action. 

Check that "authority" is FALSE. 
No action. 

No action. 

Check that the certificate policies extension 
of the TPM endorsement certificate contains 
at least one of the values. 

No action. 

No action. 
No action. 

No action. 
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9.5.3 Instantiation of TPM^CONFORMANCE^CREDENTIAL 

Overview 

The Platform Confonr^ance Certificate represents an assertion by the platform conformance entity that the 
referenced platform conforms with the TCG specification. 

Profile 

Note- some fields are assigned a value even though the certificate user performs no action with that 
value. In such cases, the intention is to inhibit non-TCG implementations from making inappropnate use 
of the certificate. 

In the case of the Platform conformance certificate, the issuer is the platform manufacturer and the user 
is a Privacy CA. 



Field 



Version 
Holder 



Issuer 



Issuer action 



Signature 



Serial number 



attrCertValidity 
Period 



Attributes 



Assign value 1 (v2). 

Include the platform name, uniquely 
identifying the type of the platform 
with RDNs for the manufacturer, 
model and version numbers. 

The distinguished name of the 
platform conformance entity. That is 
the entity that asserts that the design 
of the platfonm conforms with the TCG 
specification. (Note: this may be the 
platform manufacturer or a 
conformance test laboratory.) 

Assign algorithm identifier sha- 

IWithRSAEncryption 

(1:2:840:113549:1:1:5). 



Assign a value unique per evaluated 
series of a TBB amongst all 
certificates issued by "issuer" 

Assign notBefore to the current time 
and notAfter to a later time (maybe 
the latest time penrnitted by the 
encoding scheme). 

Include a "supported algorithms" 
attribute (see X.509) indicating the 
algorithms supported by the platform. 

Include the "TCG specification 
version" attribute, with field values 
correctly reflecting the highest version 
of the TCG specification with which 
the platform implementation 



User action 



Check value = 1 . else reject. 

Check that the value is the same as the 
value in the corresponding Platform 
Endorsement Certificate. Subject Alternative 
Name extension, else reject. 

Check that the name is the name of one of 
the acceptable platform conformance 
entities. 



Check algorithm identifier = 
1:2:840:113549:1:1:5, else reject. Validate 
the signature on the certificate using the 
public key of the platform conformance entity 
(which should be a 2048-brt RSA key), 
obtained by an out-of-band means and 
referenced by "issuer* and "authority key 
identifier". 

No action. 



Check that the current time is later than the 
notBefore time, else reject. 



Transfer the object identifiers for any 
acceptable algorithms to the TPM identity 
certificate "subject directory attributes" 
extension. 

Check that the TCG specification version is 
acceptable, else reject. 
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Issuer unique 
identifier 

Extensions 

Certificate 
policies 



Subject 

alternative 

name 



Authority key 
identifier 



SOA Identifier 



conforms. 

If the TPM has been successfully 
evaluated against a Common Criteria 
protection profile, then include the 
TPM protection profile identifier 
attribute. 

If the TPM has been successfully 
evaluated against a Common Criteria 
security target, then include the TPM 
security target identifier attribute. 

If the RTM and means by which the 
RTM and TPM are incorporated into 
the platform has been successfully 
evaluated against a Common Criteria 
protection profile, then include the 
foundation protection profile identifier 
attribute. 

If the RTM and the means by which 
the RTM and TPM have been 
incorporated into the platform have 
been successfully evaluated against a 
Common Criteria security target, then 
include the foundation security target 
identifier attribute. 

Omit. 



Assign "critical" the value TRUE 
Assign policyldentifier at least one 
object Identifier. Assign the cPSuri 
policy qualifier the value of an HTTP 
URL at which a plain language 
version of the platform conformance 
entity's certificate policy may be 
obtained. Assign the explicit text 
userNotice policy qualifier the value 
"TCG Conformance Credential". 

Assign "critical" the value FALSE 
Include the platform name, uniquely 
identifying the type of the platform 
with RDNs for the platform 
manufacturer, model and version 
numbers. 

Assign "criticar the value FALSE. 
Assign the value of "subject key 
identifier^ from the platform 
conformance entit/s public-key 
certificate, if available, else omit. 

Omit. 



Check that the identifier is acceptable. 
Transfer the protection profile identifier to the 
TPM identity certificate. 



Check that the identifier is acceptable. 
Transfer the security target identifier to the 
TPM identity certificate. 

Check that the identifier is acceptable. 
Transfer the protection profile identifier to the 
TPM identity certificate "subject directory 
attributes" extension. 



Check that the identifier is acceptable. 
Transfer the security target identifier to the 
TPM identity certificate "subject directory 
attributes" extension. 



No action. 



Check that at least one acceptable 
policyldentifier value is present. Transfer the 
policylnfomriation value to the TPM identity 
certificate. 



Check that the manufacturer, model and 
version numbers are identical to those in the 
platfonm endorsement certificate "subject 
alternative name" extension. 



The certificate user may use this value to 
locate the certificate that contains a public 
key of the platform conformance entity with 
which the signature on this certificate can be 
verified. 



No action. 
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Authority 


Omit. 


No action. 


Attribute 






Identifier 






Role 


Omit. 


No action. 


Specift cation 






oeruiicaie 






laenxiTier 






Basic Attribute 


Assign "critlcar the value TRUE. 


Check that authority is hALot. 


Constraints 


Aeeinn "di ithnriK/" th^ \/P)llJ6 FALSE 




Delegated 


Omit. 


No action. 


Ktomo 
INaiTie 






Constraints 






1 irric 


Omit. 


No action. 


Specification 






Accepiaoie 




No action. 


Certificate 






Policies 






Attribute 


Omit. 


No action. 


Descriptor 






User Notice 


Omit. 


No action. 


No Rev 


Omit. 


No action. 


Available 






Acceptable 


Omit. 


No action. 


Privilege 






Policies 
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9.5.4 Instantiation of VALIDATION_DATA 




Overview 

The validation data certificate represents an assertion by the component validation entity that the 
component Instructions referenced by the certificate have the attributes conveyed in the certificate. The 
certificate syntax conforms with the X.509 definition for an attribute certificate. 



In the case of the validation certificate, the issuer \s the Validation Entity and the user is a TPS. 



Field 


Issuer action 


User action 


Version 


Assign value 1 (v2). 


Check value = 1 , else reject. 


Holder 


ObjectDigestlnfo with missing object 
identifier. The value of objectDigest shall 
be the digest calculated over the memory 
image of the software instructions using 
the identified digest algorithm. 


Calculate the digest of the memory 
Image of the software instructions and 
check that It is Identical to the value In 
this field prior to passing control to the 
component, else reject. 


Issuer 


The distinguished name of the 
component validation entity. That is the 
entity that asserts that the component 
exhibits the attributes contained in the 
certificate. (Note: typically, but not 
necessarily, the manufacturer of the 
component). 


Check that the name is the name of one 
of the acceptable component validation 
entities. 


Signature 


Assign algorithm identifier sha- 
1 witn KoAcncrypuon 
(1:2:840:113549:1:1:5). 


Check algorithm Identifier = 
l-9-ft40-1 13549*1 '1 "5 else reiect 
Validate the signature on the certificate 
using the public key of the software 
manufacturer (which should be a 2048-bit 
RSA key), obtained by an out-of-band 
means and referenced by "issuer" and 
"authority key Identifier". 


Serial number 


Assign a value unique amongst all 
certificates issued by "issuer". 
Uniqueness to be determined by the 
manufacturer. 


No action. 


attrCertValidityPe 
riod 


Assign notBefore to the current time and 
notAfler to a later time (maybe the latest 
time permitted by the encoding scheme). 


Check that the current time is later than 
the notBefore time, else reject. 


Attributes 


Include the "TCG specification version" 
attribute, with field values correctly 
reflecting the highest version of the TCG 
specification with which the component 
conforms. 


Check that the TCG specification version 
is acceptable, else reject. 




Optionally, Include the "security qualities" 
attribute with a text string reflecting the 
security qualities of the component. 
(Note: this is the component distributed 


Optionally (and If present), check 
whether the component implementation 
has acceptable security qualities. 
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validation.) 




Issuer unique 
identifier 


Omit. 


No action. 


Extensions 






Certificate 
policies 


Assign "critical" the value TRUE. Assign 
policyldentifier at least one object 
identifier. Assign the cPSuri policy 

/viifalifiAr tho wsiliio nf an HTTP URL at 
QuaiiTier ine vciiu6 oi an n i i f ok 

which a plain language version of the 

component conformance entity's 

certificate policy may be obtained. 

Assign the explicit text userNotice policy 

qualifier the value "TCG Validation Data". 


Check that at least one acceptable 
policyldentifier value is present. 


Subject 

Alternative Name 


Assign "criticar the value FALSE. 
Include the component name, using the 
"component name" attribute, with RDNs 
for the component manufacturer, model 
and version numbers. 


May be used to determine whether or not 
the component is trustworthy. 


Authority key 
identifier 


Assign "criticar the value FALSE. Assign 
the value of "subject key identifier" from 
the component validation entity 
n^rtifir^te if available else omit. 


The certificate user may use this value to 
locate the certificate that contains a 
public key of the component validation 
entity with which the signature on this 
certificate can be verified. 


oL/M iQeniiTier 


Omit 


No action. 


Authority 
AnnDUie 
Identifier 


Omit. 


No action. 


KOie 

Specification 

Certificate 

Identifier 


Omit 
1 III. 


No action. 


Basic Attribute 
Constraints 


Assign "critical" the value TRUE. Assign 
"authority" the value FALSE. 


Check that "authority" is FALSE. 


Delegated Name 
Constraints 


Omit. 


No action. 


Time 

Specification 


Omit. 


NO action. 


Acceptable 

Certificate 

Policies 


Omit 


No action. 


Attribute 
Descriptor 


Omit. 


No action. 


User Notice 


Omit. 


No action. 


No Rev Available 


Omit. 


No action. 


Acceptable 
Privilege Policies 


Omit. 


No action. 
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9.5.5 Instantiation of TPM_IDENTITY_CREDENTIAL 




If the data structure <TPM identity certificate> is stored on a platform after an Owner has taken ownership 
of that platform, it SHALL exist only in storage to which access is controlled and Is available to authorized 
entities. 



Overview 

The TPM identity certificate represents an assertion by the Privacy CA that the referenced TPM identity is 
controlled by a TPM that confonns with the TPM specification. It contains a different public key to that 
contained in the TPM endorsement certificate, but it contains Identifying and policy information transfenred 
from the TPM endorsement, platform endorsement and platform conformance certificates. 

Profile 

Note: 

• Some fields are assigned a value even though the certificate user performs no action with that 
value. In such cases, the Intention is to inhibit non-TCG implementations from making 
inappropriate use of the certificate. 

• The policies identified in the TPM and platform certificates are represented by oids and are not 
distinguishable except by reference to the contents of the polides themselves. The venfier, 
however, must be able to distinguish between the different policy types. 

In the case of the TPM identity certificate, the issuer is the Privacy CA and the user is an integrity 



verifier. 



Field 


Issuer action 


User action 


Version 


Assign value 2 (v3). 


Check value = 2, else reject. 


Serial number 


Assign a value unique amongst all 
certificates issued by "issuer". 


No action. 


Signature 


Assign algorithm identifier sha- 
1 With RS AEncryptlon 
(1 :2:840: 113549:1:1:5). 


Check the algorithm identifier 
1:2:840:113549:1:1:5. else reject. Validate 
the signature on the certificate using the 
public key of the Privacy CA (which should 
be a 2048-bit RSA key), obtained by an out- 
of-band means and referenced by "issuer 
and "authority key identifier". 


Issuer 


The distinguished name of the Privacy 
CA. 


Check that the name is the name of an 
acceptable Privacy CA. 


Validity 


Assign notBefore to the current time 
and notAfter to a later time (maybe 
the latest time penmitted by the 
encoding scheme). 


Check that the current time is later than the 
notBefore time, else reject. 


Subject 


NULL. 


No action. 


Subject public 


Assign algorithm identifier sha- 


Check alqorithm Identifier = 
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l^ey info 



Issuer unique 
identifier 

Subject 

unique 

identifier 



Extensions 

Authority 
identifier 



key 



key 



Subject 
identifier 

Key usage 



Extended key 
usage 

Private key 
usage period 

Certificate 
policies 



Policy 
mappings 

Subject 

alternative 

name 



1 WithRSAEncryption 
(1:2:840:113549:1:1:5). The 2048-bit 
RSA public key provided to the 
Privacy CA by the TPM owner in the 
identity request message. 

Omit. 



Omit. 



Assign "critical" the value FALSE. 
Assign the value of "subject key 
identifier" from the Privacy CA's 
public-key certificate, if available, else 
omit. 

Omit. 

May be omitted, if included, then the 
digital signature bit shall be set TRUE. 

Omit. 



Omit. 

Assign "critical" the value TRUE. 
Assign policyldentifier at least one 
object identifier. Optionally, assign 
the cPSuri the value of an HTTP URL 
at which a plain language version of 
the Privacy CA*s certificate policy may 
be obtained. Assign the explicit text 
userNotice policy qualifier the value 
"TCG Trusted Platform Identity". 
Also, include the policylnfonnation 
values from the certificate policies 
extensions of the TPM endorsement 
and platform endorsement and 
conformance certificates provided in 
the TPM identity request message. 

Omit. 

Assign "critical" the value FALSE. 
Include three values in the extension: 

The TPM manufacturer, model and 
version numbers from the TPM 
endorsement certificate "subject 
alternative name" extension provided 
in the TPM identity request message; 

The platform manufacturer, model 



1:2:840:113549:1:1:5, 
public key in the 
procedure. 



No action. 



else reject. Use the 
integrity verification 



No action. 



The certificate user may use this value to 
locate the certificate that contains a public 
key of the Privacy CA with which the 
signature on this certificate can be verified. 

No action. 

If present, then check that the digital 
signature bit is TRUE, else reject. 

If present and marked critical, then reject. 

If present, then check that the current time is 
later than tiie notBefore time, else reject. 

Check that at least one acceptable Privacy 
CA policyldentifier value is present. 
Optionally, check that at least one 
acceptable TPM endorsement, one 
acceptable platform endorsement and one 
acceptable platform conformance 
policyldentifier value are present. 



No action. 

Check that the manufacturer, model and 
version numbers of the TPM and of the 
platform are acceptable. 
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Issuer 

alternative 

name 

Subject 

directory 

attributes 



and version numbers from the 
platform endorsement certificate 
"subject alternative name" extension 
provided in the TPM identity request 
message; and 

The TPM identity label provided to the 
Privacy CA by the TPM owner in the 
identity request message, encoded as 
a TPMIdLabel other-name. The TPM 
owner should choose a label syntax 
and semantics that are understood by 
the integrity verifier. (Note: the 
specified syntax accommodates multi- 
byte character sets). 

Omit. 



Assign "criticar the value FALSE. 
Include a multi-valued "supported 
algorithms" (see X.509) attribute 
containing object identifiers from the 
"subject directory attributes" extension 
of the TPM endorsement certificate 
and the "attributes" field of the 
platform endorsement certificate and 
the platfonn conformance certificate 
provided in the TPM identity request 
message. 

Include the single-valued "TPM 
protection profile" attribute from the 
platform endorsement certificate 
provided in the TPM identity request 
message. 

Include the single-valued "TPM 
security target" attribute from the 
platform endorsement certificate 
provided in the TPM identity request 
message. 

Include the single-valued "Foundation 
protection profile" attribute from the 
platform endorsement certificate 
provided in the TPM identity request 
message. 

Include the single-valued "Foundation 
security target" attribute from the 
platform endorsement certificate 
provided in the TPM identity request 
message. 

Include the "security qualities 
attribute from the TPM endorsement 
certificate provided in the TPM identity 
request message. (Note: this is the 



No action. 



Adapt the integrity verification protocol to use 
only algorithms supported by the TPM and 
the associated platform. 



Check that the identifier Is acceptable. 



Check that the identifier is acceptable. 



Check that the identifier is acceptable. 



Check that the identifier is acceptable. 



Optionally (and if present), check whether 
the TPM has acceptable security qualities. 
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TPM distributed validation.) 






Include the "security qualities" 


Optionally (and if present), check whether 




attribute from the platform 


the platfonn has acceptable security 




endorsement certificate provided in 


ni isilitioG 
ii|Uaiiuo9. 




the TPM iflentity requesi mesbeiye. 






(Note: this is the platform distributed 






validation.) 






Include the "TCGVersion" attribute 


Check that the TCG specification version is 




provided in the TPM identity request 


acceptable, else reject. 




message. 




Basic 


Assign "critlcar the value TRUE. 


No action. 


constraints 


Assign XA" the value FALSE. 




Naoie 


Omit. 


No action. 


constraints 






Policy 


Omit. 


No action. 


constraints 






Inliibit any 


Omit. 


No action. 


policy 






CRL 


Omit. 


If present and marked critical, then reject. 


distribution 






points 
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9.5.6 ASN.1 Definitions 




The syntax of the "security qualities" attribute is as follows: 

SecurityQualities ATTRIBUTE : := { 

WZTH SYNTAX SecurityQualities 
ID TCG-tpmSecurityQualities > 

SecurityQualities ::= SEQUENCE { ^ 

version INTEGER, ~0 for this version of the attribute syntax ~ 
stat-ement [0] UTFSString } 

Note: future versions of this certificate profile may define additional, optional, "security qualities" fields. 

Inclusion of the "statement" field will remain mandatory. 

The syntax of the "TCG Specification Version" attribute is as follows: 

TCGSpecVersion ATTRIBUTE : := { 

WITH SYNTAX TCGSpecVersion 
ID TCG-specVersion > 

TCGSpecVersion : : = SEQUENCE ( 
major INTEGER, 
minor INTEGER > 



The syntax of the protection profile and security target attributes is as follows: 

TPMProtectlonProfile ATTRIBUTE : := { 
WITH SYNTAX ProtectlonProf He 
ID TCG-at-tipmProtectionProf He } 

TPMSecurityTarget ATTRIBUTE : := { 
WITH SYNTAX SecurltyTarget 
ID TCG-at-tpmSecurityTarget } 

FoundationProtectionProfile ATTRIBUTE : := { 
WITH SYNTAX ProtectlonProf He 
ID TCG-at-foundatlonProtectlonProfile > 

FoiandationSecurityTarget ATTRIBUTE : := { 
WITH SYNTAX SecurityTarget 
ID TCG-at-foiandationSecurltyTarget } 
ProtectlonProf He : := OBJECT IDENTIFIER 
SecurityTarget OBJECT IDENTIFIER 

The syntax of the "component name" attribute is as follows: 

ConponentName ATTRIBUTE : := { 
WITH SYNTAX Name 
ID TCG-at-componentName } 
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The following definitions define the syntax of the RDNs used in the subject alternative name extension to 
identify the type of the TPM and the platform. 

TpidManu£acburer ATTRIBUTE : := { 
WITH SYNTAX OTFBString 
ID TCG-at-tqpnManufacturer ) 



TpnModel ATTRIBUTE : := { 

WITH SYNTAX UTFSString 
ID TC6-at-QpnAtodel ) 

TpmVerslon ATTRIBOTE : := { 

WITH SYNTAX UTFSString 
ID TCG-at-tpiaVersion } 

PlatfomManufacturerl ATTRIBUTE : := { 
WITH SYNTAX UTFSString 
ID TCG-at-platformManufacturer } 

Platf omModel ATTRIBUTE : : = { 
WITH SYNTAX UTFSString 
ID TCG-at-platformModel } 

Platf ormVersion ATTRIBUTE : : = { 
WITH SYNTAX UTFSString 
ID TCG-at-platformVersion } 

TPMIdLabel OTHER-NAME : := {UTFSString IDENTIFIED BY (TCG-at-tpmldLabel) ) 



-Object identifier assignments — 

TCG 

TCG- spe aversion 
TCG-attribute 
TCG-protocol 
TCG-at- tpmManu£ac turer 
TCG-at- tpnAfodel 
TCG-at-'^mVersion 
TCG-at-platfornAlanu£acturer 
TC6-at-plat£oniA16del 
TCG-at-platformVersxon 
TCG-at - coinponen tManufac tur e r 
TCG-at-conponentModel 
TCG-at-componentVersion 
TCG-at- securityQuali ties 
TCG-at- tpmPr o tec tionPro file 
TCG-at- tpmSecurityTar get 



OBJECT IDENTIFIER : l' 
OBJECT IDENTIFIER : 
OBJECT IDENTIFIER : 
OBJECT IDENTIFIER : 
OBJECT IDENTIFIER : := {TCG 

OBJECT IDENTIFIER : 
OBJECT IDENTIFIER : := {TCG 
OBJECT IDENTIFIER 
OBJECT IDENTIFIER 
OBJECT IDENTIFIER 
OBJECT IDENTIFIER : := {TCG 

OBJECT IDENTIFIER : 
OBJECT IDENTIFIER : :« {TCG 
OBJECT IDENTIFIER 
OBJECT IDENTIFIER 
OBJECT IDENTIFIER 



TCG-at-foundationProtectionProfile OBJECT IDENTIFIER 
TCG-at-foundationSecurityTarget OBJECT IDENTIFIER 

TCG-at-temldl-abel OBJECT IDENTIFIER : := {TCG 

TCG-prt-tpnldProtocol OBJECT IDENTIFIER : : = 



= {2-23-133} 
= {TCG-1} 
B {TCG-2} 
= {TCG-3} 
-attribute 1} 
= {TCG-attribute 2} 
-attribute 3} 
= (TCG-attribute 4) 
= {TCG-attribute 5} 
= {TCG-attribute 6} 
-attribute 7} 
= {TCG-attribute 8} 
-attribute 9} 
= {TCG-attribute 10} 
ss {TCG-attribute 11} 
= {TCG-attribute 12} 
s {TCG-attribute 13} 
= {TCG-attribute 14} 
-attribute 15} 
= {TCG-protocol 1} 
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10. Conformance Criteria 
10.1 Base Levels for Interoperability 



fmooificatjon, senmm 
f4tnrfl^anff-forward.J'^^ ^ 



tfonSJ 



frequ^sto|:Jo detejrmin^™^J^^^ 





focol allc-- " 



|gpDthnf!sand'R^^^ 




The algorithms and protocols in this specification are the REQUIRED algorithms and protocols. A TPM 
subsystem MAY support additional algorithms and protocols. When this specification specifies the use of 
the TSS for a feature, an implementation MAY place the feature in the TPM. 

The interoperability requirements shall be implemented at the TSS layer not the TPM It is the 
responsibility of the TPM manufacturer to produce a vendor specific byte stream generator. The TSS will 
provide a generic API that all applications for a specific platform (PC. PDA. etc) can use. 
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10.2 Conformance Specification Sheet 
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10.3 Protoc I Negotiation and Algorithm Agility 




The TPM MUST support the base algorithms specified for each operation. The TPM MAY support 



additional algorithms and parameters. 
The TPM manufacturer MUST include in the TPM credential all algorithms that the TPM supports. 
The TSS manufacturer MUST include In the platform credential all algorithms that the TSS supports. 
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10.4 Cryptographic Alg rithms and Prot cols 




10.4.1 Asymmetric 




• The TPM MUST support RSA. 

• The TPM MUST use the RSA algorithm for encryption and digital signatures. 

• The TPM MUST support key sizes of 512, 1024. and 2048 bits. The TPM MAY support other key 
sizes. The minimum RECOMMENDED key size is 1024 bits. 

• The RSA public exponent MUST be e, where e = 2^®+1 . 

TPM devices that use CRT as the RSA implementation MUST provide protection and detection of failures 
during the CRT process to avoid attacks on the private key. 

The TPM MAY implement other asymmetric algorithms such as DSA or elliptic curve. These algorithms 
may be in use for wrapping, signatures, and other operations. There is no guarantee that these keys can 
migrate to other TPM devices or that other TPM devices will accept signatures from these additional 
algorithms. 

All Storage keys MUST be of strength equivalent to a 2048 bits RSA key or greater. The TPM SHALL 

NOT load a Storage key whose strength less than that of a 2048 bits RSA key. 

All TPM Identity keys MUST be of strength equivalent to a 2048 bits RSA key, or greater. 



10.4.2 Symmetric 
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The TSS MUST support 3DES. 3DES SHOULD be the symmetric algorithm of choice. The key size of 
3DES MUST be 196 bits (three 64-bit keys). 3DES MUST be run in encrypt-decrypt-encrypt (EDE) mode. 
The TSS MUST provide detection of weak 3DES keys. 

The TSS MUST support DES. The key size for DES MUST be 64 bits (56 bits plus parity). The TSS 
MUST provide detection of weak DES keys. 

The TSS SHOULD have support for AES when it becomes available. 
A TPM MUST support the storage of at least 256-bit symmetric keys. 

10.4.3 Hashing 

The TPM MUST support the SHA-1 hash algorithm as defined by FIPS-180-1 . The output of SHA-I is 160 
bits and all areas that expect a hash value are REQUIRED to support the full 160 bits. 

10.4.4 Signature Operations 

The TPM MUST use the RSA algorithm for signature operations. 

The TPM MAY use other asymmetric algorithms for signatures; however, there is no requirement that any 
other TPM device either accept or verify those signatures. 

The TPM MUST use PI 363 for the fonmat and design of the signature output. 
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10.4.5 Creating a PCR c mposlte liash 

The definition specifies the operation necessary to create TCG_COMPOSITE_HASH. 
Action 

The hashing MUST be done using the SHA-1 algorithm. 
The input must be a valid TCG_PCR_SEI^CTION structure. 

Th^ nrocess creates a TCG PCR COMPOSITE structure from the TCG_PCR_SELECTI ON structure 
S £e PCR values to be hashed-'lf constmcted by the TPM the values MUST come from the current 
?CR regrstei inSeS by the PCR indices in the TCG_PCR_SELECTION structure. 
The piocess then computes a SHA-1 digest of the TCG_PCR_COMPOSlTE structure. 
The output is the SHA-1 digest just computed. 

10.4.6 Creating TCG_CHOSENID_HASH 

This definition specifies the operation necessary to create a TCG_CHOSENID_HASH structure. 



Type 


Name 


Description 


BYTE [] 


identityLabel 


The label chosen for a new TPM identity 


TCG_PUBKEY 


privacyCA 


The public key of a privacy CA chosen to 
attest to a new TPM Identity 



Action 

The hashing MUST be done using the SHA-1 algorithm. 

The process concatenates IdentityLabel and privacyCA (identityLabel followed by privacyCA) and 
computes a SHA-1 digest of the concatenated data. 
The output is the SHA-1 digest just computed. 

10.4.7 Using Secret Keys 




A secret key is a key that is a private asymmetric key or a symmetric key. 

Data SHOULD NOT be used as a secret key by a TCG protected capability unless that data has been 
extant only in a shielded location. 

A key generated by a TCG protected capability SHALL NOT be used as a secret key unless that key has 
been extant only in a shielded location. 

A secret key obtained by a TCG protected capability from a Protected Storage blob SHALL be extant only 
in a shielded location. 
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10.5 Random Number Generator (RNG) 




The RNG for the TPM will consist of the following components: 

• Entropy source and collector 

• State register 

• Mixing function 

The RNG capability is a TPM-protected capability with no access control. 

The RNG output may or may not be shielded data. When the data is for internal use by the TPM (e.g.. 
IsymmeTric k^^^^^^^^ ?he data MUST be held in a shielded location. When the data .s for use by 

the TSS or another external caller, the data Is not shielded. 

10,5.1 Entropy Source and Collector 




The entropy source MUST provide entropy to the state register in a manner that provides ent^^ 

not visible to an outside process. For compliance purposes, the entropy source MAY be in the TSS and 

not the TPM; however, attention MUST be paid to the reporting mechanism. 

The entropy source MUST provide the Information only to the state register. ^^^/"jJ^Py f^^^^^^^ 
orovide information that has a bias, so the entropy collector must remove the bias before updating the 
SSr?eStr The bias removal could use the mixing function or a function specifically designed to 
SSdIe the Was S source. The entropy source can be a single device (such as hardware 

STori Smb^aton of events (such as disk timings). It is the responsibility of the entropy collector to 
update the state register whenever the collector has additional entropy. 

10.5.2 State Register 
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The state register is in a TPM-shielded location. The state register MUST be non-volatile. The update 
function to the state register is a TPM-protected capability. The primary input to the update function 
SHOULD be the entropy collector. 



If the cun^nt value of the state register is unknown, calls made to the update function with known data 
MUST NOT result in the state register ending up in a state that an attacker could know. This requirement 
implies that the addition of known data MUST NOT result in a decrease in the entropy of the state 
register. 

The TPM MUST NOT export the state register. 



10.5.3 Mixing Function 




Each use of the mixing function MUST affect the state register. This requirement is to affect the volatile 
register and does not need to affect the non-volatile state register. 



10.5.4 RNG Reset 




The RNG MUST NOT output any bits after a system reset until the following occurs: 

• The entropy collector perfonns an update on the state register. This does not include the adding of 
the previous state but requires at least one bit of entropy. 



• The mixing function performs a self-test. This self-test MUST occur after the loading of the previous 
state. It MAY occur before the entropy collector performs the first update. 
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10.6 Key Gen ration 




10.6.1 Asymmetric 

The TPM MUST generate asymmetric Icey pairs. The generate function Is a Protected rapaWiity and the 
pri^te key is hekJ in a shielded location. The implementation of the generate function MUST be in 
accordance with P 1 363 . 

The Drime-number testing for the RSA algorithm MUST use the definitions of P1363 If additional 
IsymSc a^^^^^^^ are available, they MUST use the definitions from P1363 for the underlying basis 
of the asymmetric key (for example, elliptic curve fitting). 

10.6.2 Symmetric 

The TSS MUST generate a symmetric key by taking the next n bits from the TPM RNG. 

The TSS SHOULD provide any processing of a symmetric key. Processing is an algorithm-specific 

operation and implementation is lefl to the designer. 

10.6.3 Nonce Creation 

The creation of all nonce values MUST use the next n bits from the TPM RNG. 
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10.7 Auditing 




The TPM MUST be able to generate audit events for all TCG protected capabilities. 

The TPM Owner MUST be able to select the functions that will generate an audit event at any time. 

The TPM MUST provide a PGR to store and log the audit events. The TPM MUST allow fo^^^ 

of the current audit log PGR value. The value that the TPM adds to the TPM audit PGR MUST be the 

TGG_AUDIT_EVENT structure. 

The TSS MUST provide a log of all TPM-generated events. The TPM will generate the event and the TSS 
will fill in the event details. The TPM SHALL provide as much detail as it has available; ^^o^ever the TSS 
MUST fill in all remaining details for the audit event. For instance, the audit ^Y?"* ^ tlSZt 
time stamp on the event. There is no requirement for a clock function in the TPM. so the date and time 
would come normally from the TSS. 

The TPM MAY generate audit events for other functions and activities not on this list. 
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1 0.8 Self -Tests mechanisms to allow the self-tests to 

The TPM MUST provide startup self-tests. The TPM MUb i proviae 

KhSmuTalleously contnuing to test me sl9-«i« ena.ne. 
in the time constraints. 

The TPM MUST report the tests that it performs. rhallenoer 
The TPM MUST provide a mechanism to allow seff-test to execute on request by any Chal enger. 
Te TPM MUST pro>.de for testing of some operations duHng each execution of the operaton. 

10.8.1 Required Self-Tests 
The TPM MUST check the following: 

. RNG functionality. This test follows FIPS 140-1 . which checks the funct.on.ng of an RNG. 
: elding the IntegHty registers. The self-test for .e IntegHty registers .1. leave the 

inteqrity registers in a l<nown state. 

epoxy surrounding the case. 

10.8.2 Recommended Checks 

The TPM SHOULD check the following: 

^i,..r.iem The TPM should wrap and unwrap a key. The TPM MUST nui use 
• The key-wrapping mechanism. The i kwi snouiu wian 
the endorsement key pair for this test. 
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. Update. The updat function MAY replace invalid microcode, providing that th parts of the TPM that 

provide update functionality have passed self-test. 
All other operations will return the enror code TCG_FAILEDSELFTEST. 

10.9 Object Reuse 

The TPM MUST destroy and erase all temporal objects when the TPM finishes P^^^f '"Sj'^^ 
use of an object can be a long-term operation. For instance, the TPM could load an ider^tty key and keep 
the key in rnSo^^ whL performing multiple challenge and response operations. There .s no requ'rement 
S untoad SeoSert after each operation, but there is a requirement that the object be properly disposed 
of when all operations are complete. 

When an internal TPM process uses objects, no Information regarding the object niay be available to 
S3e Sricesses. The TPM MUST enfo/ce access control to all objects carrying sensrtive .nforniatoon. 



lO.IOMaintenance 




The maintenance feature MUST ensure that the information can be on only one TPM at a time. 
MatnteSL MUST ensure that at no time the process will expose a shielded locatoon. Maintenance 
MUST require the active participation of the Owner. 

10.11 Backup 




The TPM MUST support the backup feature. The TPM MUST create a blob of migratable data that Is 
readable by any oStpM. A receiving TPM MAY reject a backup blob If the underlying .nfomiation is a 
non-standard size or algorithm. 

10.12Strength of Function 

|^Ha^erl||i%^^^^^^iM| 
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The TPM MUST report the SOF values to a Challenger and the SOF values MUST be part of the TPM 
endorsement certificate and the platfonn confonmance certificate. 



10.13Physlcal Protection 




TPM MUST satisfy the FIPS 140-1 (or it's successor) level 2 physical security requirements, or ifs 
equivalent. 

10-14Protection Profile 
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10.15Compliance to Specification 




10.1 6 Field Upgrade 




The TPM SHOULD have provisions for upgrading the subsystem after shipment from the manufacturer. If 
provided the mechanism MUST follow the requirement from section 8.16 . 

10.17Pliysicai Presence or Access 
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The requirement for physical presence MUST be met by the platform manufacturer using some physical 
mechanism. 



10.17.1 TSC_PhyslcalPresence 




Type 

TCG connection capability. Optional function this functionality can be implemented by any vendor specific 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


S2 


# 


SZ 


1 


2 






TCG.TAG 


tag 


TPM_TAG^RQU.COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes induding paramSize and tag 


3 


4 






TCG_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of 
TSC.ORD.PhyslcalPresence. 


4 


2 






TCG PHYSICAL P 
RESENCE 


physicalPresence 


The state to set the TPM's Physical Presence flags. 


Cuts 


|olng ( 


}perar 


ids an 


d Sizes 




HMAC 


1 Type 


Name 


Description 


# 




• 
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1 


2 






TCG.TAG 


tag 




2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCG.RESULT 


retumCode 


The return code of the operation. See section 4.3 of Main 
Specification. 



Descriptions 

This command must implemented In the TPM. however support for ail of the bits is optional. 

The operation sets the state of the physicalPresenceLifetimeLock. physicalPresenceHWEnable and 

physicalPresenceCMDEnabie flags to indicate how physical presence is to be indicatal. It also sete the 

PhysicalPresence and PhysicalPresenceLock flags, If enabled, during operation of the Platfomi to 

indicate physical presence. This is a bit masl^ allowing a combination of flags to be set in a single 

operation. 

Note- The TPM Physical Enable requires unambiguous evidence of the presence of physical access. This 
is a higher leveTof proof than the other "physical presence" commands. A PhyreicalPresence flag se to 
TRUE, SHALL NOT be sufficient proof to permit execution of TPM_PhysicalEnable unless it is impossible 
for software to subvert the TSC_PhysicalPresence command. 

Actions 

1 . This operation MUST be implemented to process the values in the following order 

a. physicalPresenceHWEnable and physicalPresenceCMDEnabie 

b. physicalPresenceLifetimeLock 

c. PhysicalPresence 

d. PhysicalPresenceLock 

2. Once the PhysicalPresenceLock flag is set to TRUE, TPM MUST not m^^^^ 
PhysicalPresence flag until a TPMJnit followed by TPM_Startup(stType = TCG-ST CLEAR). Upon a 
TPMJnit and TPM_Startup(stType = TCG_ST_STATE) the TPM MUST set the 
PhysicalPresenceLock flag to FALSE. 

3 If the PhysicalPresenceLock flag Is set to TRUE upon any call to this operation, the TPM MUST 
cause no action and MUST return the enrar TCG_BAD_PARAMETER. 
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10.18Other Specifications 




Individual manufacturers MAY do the additional design and testing to obtain a FIPS 140 certification, but 
there is no requirement that a TCG device obtain this testing. 



Specifications or standards included in this specification 

• PKCS#1 : RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS) Version 2.0 

o RSAES_OAEP (2.0) 
o RSASSA-PKCS1.v1_5 

• ITU-T Recommendation X.509 | ISO/IEC 9594-8: "Information technology - Open Systems 
Interconnection - The Directory: Public-key and attribute certificate frameworks", 4"" Edition. 

• DES/3DES: Data Encryption Standard FIPS 46-3 (DES) : National Institute of Standards and 
Technology 

• ASN.1 : Abstract Syntax Notation One : ITU-T Recommendations X.680-X.683 

• FIPS 140-1: Federal Information Processing Standards Publication 140-1 "Security Requirements 
for Cryptographic Modules" 

• BER: Basic Encoding Rules : ITU-T Recommendation X.690-691 (1997) 

• ISO 15408 (Common Criteria) 

• SHA-1: Secure Hash Algorithm : NIST FIPS PUB 180-1, "Secure Hash Standard," : National 
Institute of Standards and Technology 

• RFC 2104 (HMAC) 
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Appendix A: Glossary 

3DES 

DES using a key of a size that Is 3X the size that of a DES key. See DES. 
Blob 

Opaque data of fixed or variable size. The meaning and interpretation of the data is outside the scope 
and context of the Subsystem. 

Challenger 

An entity that requests and has the ability to interpret Integrity metrics from a Subsystem. 
Conformance Credential 

A credential that states the confonnance to the TCG specification of. the TPM; the method of 
incorporation of the TPM into the platform; the RTM; and the method of incorporation of the RTM Into the 
platform. 

Denial-of-service attack 

A attack on a system (or subsystem) which has no affect on Infomnation except to prevent its use. 
DES 

Symmetric key encryption using a key size of 56 bits defined by NIST as FIRS 46-3. Reference 
httD://csrc.ncsl.nist.aov/crvDtval/des.htm . 

Endorsement Credential 

A credential containing a public key (the endorsement public key) that was generated by a genuine TPM. 
Endorsement Key 

A term used ambiguously, depending on context, to mean a pair of keys, or the public key of that pair, or 
the private key of that pair, an asymmetric key pair generated by a TPM that Is used as proof that a TPM 
is a genuine TPM; the public endorsement key (PUBEK); the private endorsement key (PRIVEK). 

Identity Credential 

A credential issued by a Privacy CA that provides an identity for the TPM. 
integrity metric(s) 

Values that are the results of measurements on the integrity of the platform. 
IMan-in-the-middle attack 

An attack by an entity Intercepting communications between two others without their knowledge and by 
intercepting that communication is able to obtain or modify the infonnation between them. 

IMigratable 

A key which may be transported outside the specific TPM. 
Non-Migratable 

A key which cannot be transported outside a specific TPM; a key that is (statistically) unique to a 
particular TPM. 

Non-Volatile 

Storage location or memory that retain their values after power-off or a TPM Jnit function. 
Owner 

The entity that owns the platform in which a TPM is Installed. Since there is, by definition, a one-to-one 
relationship between the TPM and the platfonn, the Owner is also the Owner of the TPM. The Owner of 
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the platfonn Is not necessarily the "user" of the platfonm (e.g., in a corporation, the Owner of the platform 
might be the IT department while the user is an employee.) The Owner has administration rights over the 
TPM. 

PKI Identity Protocol 

The protocol used to insert anonymous identities into the TPM. 
Platform Credential 

A credential that states that a specific platform contains a genuine TCG Subsystem. 
POST 

POST refers to the Power On Self Test performed by a PC. 
Protection Profile 

A document that defines all attacks and how they are resisted by the TPM. the RTM, and the methods by 
which they are incorporated into the platform. 

Privacy OA 

An entity that issues an Identity Credential for a TPM based on trust in the entitles that vouch for the TPM 
via the Endorsement Credential, the Confonmance Credential, and the Platform Credential. 

Private Endorsement Key (PRIVEK) 

The private key of the key pair that proves that a TPM Is a genuine TPM. The PRIVEK is (statistically) 
unique to only one TPM. 

Public Endorsement Key (PUBEK) 

A public key that proves that a TPM is a genuine TPM. The PUBEK is (statistically) unique to only one 
TPM. 

Random number generator (RNG) 

A pseudo-random number generator that must be initialized with unpredictable data and provides, 
"random" numbers on demand. 

Root of Trust for Measurement (RTM) 

The point from which all trust In the measurement process is predicated. The RTM contains many 
components to provide this level of tmst. The design document shows that the RTM includes a core 
component, the computing engine to run the core component, physical connections of the core and the 
computing engine and other items. 

Root of Trust for Reporting (RTR) 

The point from which all trust in reporting of measured information is predicated. 
Root of Trust for Storing (RTS) 

The point from which all trust in Protected Storage is predicated. 
RSA 

An (asymmetric) encryption method using two keys: a private key and a public key. Reference: 
http://www.rsa.com . 

SHA-1 

A NIST defined hashing algorithm producing a 160 bit result from an arbitrary sized soupse as specified In 
FIPS 180-1. Reference: http://csrc.ncsl.nistgov/crvptval/shs.html . 

Storage Root Key (SRK) 
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The root key of a hierarchy of keys associated with a TPM; generated within a TPM; a non-migratable 
key. 

Subsystem 

The combination of the TSS and the TPM. 
Support Services (TSS) 

Sen/ices to support the TPM but which do not need the protection of the TPM. The same as Trusted 
Platfonm Support Services. 
Trusted Building Block (TBB) 

A trusted Platfonn is instantiated as a Trusted Building Block (TBB) which is the evaluated component of 
a trusted system. The TBB is composed of the TPM, the Core RTM and the connection between them. 

TCG-protected capability 

A function which is protected within the TPM, and has access to TPM secrets. 
TPM Identity 

One of the anonymous PKI identities belonging to a TPM; a TPM may have multiple identities. 
TPM POST 

TPM POST refers to the Power On Self Test performed by a TPM. 
Trusted Platform Agent (TPA) 

Trusted Platfonn Agent; the component within the platfomi that reports integrity metrics, logs. Validation 
Data, etc. to a Challenger; outside the scope of this specification. 
Trusted Platform Measurement Store (TPMS) 

Storage locations within the Subsystem, which contain unprotected logs of measurement process. 
Trusted Platform Module (TPM) 

The set of functions and data that are common to all types of platfomi which "^"^t be t^l^sWjiorthy ^ 
Subsystem is to be tmstworthy; a logical definition in terms of protected capabilities and shielded 
locations. 

Trusted Platform Support Services (TSS) 

The set of functions and data that are common to all types of platfonn. which are not required to be 
trustworthy (and therefore do not need to be part of the TPM). 

User 

An entity that uses the platfomi in which a TPM is installed. The only rights that a User has oyer a TPM 
are the rights given to the User by the Owner. These rights are expressed in J^e fonri of aut^^^^^ 
data, given by the Owner to the User, that pemiits access to entities protected by the TPM. The User of 
the platform is not necessarily the "owner" of the platfonn (e.g.. in a corporation, the owner of the platfonn 
might be the IT department while the User is an employee). There can be multiple Users. 

Validation Credential 

A credential that states values of measurements that should be obtained when measuring a particular 
part of the platform when the part is functioning as expected. 

Validation Data 

Data inside a Validation Credential: the values that the integrity measurements should produce when the 
part of a platfonn described by the Validation Credential is woricing conrectly. 

Validation Entity 
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An entity that issues a Validation Certificate for a component; the manufacturer of that component; an 
agent of the manufacturer of that component. 

Volatile 

Storage locations or memory that are either set to a predefined value (e.g.,zero) or have values that are 
undefined upon completion of a power-on or TPM Jnit function. 
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Appendix B: Key Usag Table 



This table summarizes the types of keys associated with a given TPM command. 





Section 


Name 


First Key 


Second Key 


SIGNING :q 
STORAGE ^ 

IDENTITY X 
AUTHCHG 

BIND 
LEEGACY 


Key 

iiii 

to ~ ^ 


BIND 
LEGACY 


5.6.1 


TPM ChangeAuth 


parent 


blob 




X 


XXX 


X X 


5.2.5 


TPM_OSAP 


entity 






X X X X X X 






5.7.1 


TPM_ChangeAuthAsymStart 


idKey 


ephemeral 




X 


X 




5.7.2 


TPM_ChangeAuthAsyinFinish 


parent 


ephemeral 




X 


X 




6.3.3 


TPM_Quote 


key 






XX X 






7.2.1 


TPM_Seal 


key 






X 






7.2.2 


TPM_Unseal 


parent 






X 






7.2.4 


TPM_UnBind 


key 






X X 






7.2.5 


TPM_CreateWrapKey 


parent 






X 






7.2.8 


TPM_LoadKey 


parent 


in Key 




X 


XXX 


X X 


7.2.10 


TPM_GetPubKey 


key 






X X X X X X 






7.2.11 


TPM CreateMigrationBlob 


parent 


blob 




X 


X X 


X X 


7.2.12 


TPM_ConvertMigrationBlob 


parent 






X 






8.3.1 


TPM_CertifyKey 


certKey 


inKey 




XX X 


XXX 


X X 


8.7.1 


TPM_Sign 


key 






X X 






8.9.2 


TPM_CertifySelfTest 


key 






XX X 






8.11.2 


TPM_GetCapabilitySigned 


key 






XX X 






8.12.2 


TPM_GetAuditEventSigned 


key 






XX X 






9.3.4 


TPM_Activate Identity 


idKey 






X 
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